Exclude Splunk's own audit trail log in search results?

az365 — Fri, 31 Mar 2023 23:59:43 GMT

HI,

I am new to Splunk. If criteria is met, I notice my search results include my previous searches stored in Splunk's own audit trail. They have:

host = [one of the Splunk nodes]

source = audittrail

sourcetype = audittrail

Is there a way to exclude it? It generates a lot of noise when I am refining my searches.. Thanks.

Re: Exclude Splunk's own audit trail log in search results?

richgalloway — Sat, 01 Apr 2023 00:08:39 GMT

That will happen if you specify index=_audit in your query. Don't do that if you don't want to see that data.

It also will happen if your default indexes list includes _* or _audit and you don't specify index name(s) in your query. Don't do that. Always include at least one index name in your queries (with few exceptions).

Or specifically exclude that source(type) in your query.

blah blah source!=audittrail blah blah

topic Exclude Splunk's own audit trail log in search results? in Splunk Search

Exclude Splunk's own audit trail log in search results?

Re: Exclude Splunk's own audit trail log in search results?