topic Re: How to get the list of Adhoc Search and Saved search running by user in Audit logs. in Splunk Search

How to get the list of Adhoc Search and Saved search running by user in Audit logs.

harishsplunk7 — Mon, 11 Sep 2023 15:25:43 GMT

I need to get the list of Adhoc Searches and Saved search running by user in Audit logs.

how to differentiate these searches in _audit logs, is there any specific keyword to identify the searches

Re: How to get the list of Adhoc Search and Saved search running by user in Audit logs.

richgalloway — Wed, 13 Sep 2023 12:24:39 GMT

Searches are in the audit log. Saved searches will have a non-empty value in the savedsearch_name field. The user name is in the user field.

index=_audit action=search | table user savedsearch_name search

Re: How to get the list of Adhoc Search and Saved search running by user in Audit logs.

harishsplunk7 — Thu, 14 Sep 2023 12:59:22 GMT

This is not working at all, We will get all the searches running in splunk. because there is no keyword to identify whether search is savedsearch or Ad-hoc search or Reports.

Re: How to get the list of Adhoc Search and Saved search running by user in Audit logs.

richgalloway — Thu, 14 Sep 2023 13:04:27 GMT

As stated in my response, a saved search will have a non-empty value in the savedsearch_name field (keyword). If savedsearch_name="" then the search is ad-hoc.