All Apps and Add-ons

How to track users' activities across all systems?

vwilson3
Path Finder

Greetings,

I have been asked to create a report that tracks users' activities across all of our servers in chronological order.  We have Windows and Linux OS, as well as applications such as Oracle and HANA, among others.  I'm not sure where to begin a search string like that, aside from the indexes we use.  Any assistance is greatly appreciated.

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

It is a very very general question to which - in this form - the answer can be only "list all your users' activities and sort them".

It's hard to say what data you have, what exactly can you get from your events and what the search is for (from my experience it's probably a request by someone - possibly your superior - who doesn't really know what he wants; but that's just my 20+ years of dealing with such requests talking 😉 ).

Furthermore, searching for user activities across all your indexes would be a very heavy search, would yield a humongous set of results which would be simply unusable for anything.

Such general requests are very very rarely a good thing. Try to either be more specific, or get the requestor to be more specific.

View solution in original post

vwilson3
Path Finder

Thank you both for your feedback.  I agree this is a very broad request, and while we do use CIM as much as possible, not all fields match up as you stated. I also figured such a search would take up too many resources every time it ran, if it completed at all.

I will take your feedback back to the requestors and explain.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

This is quite huge job ,-)

1st you must know what you already have on your splunk. After you know that you must collect the missing information from those system. The best way to do it is use TAs and Apps from splunkbase.splunk.com. There are already tested TAs for .e.g Unix/Linux, Windows, some DB and SAP (and lot more). There is also some apps like ITSI or IT Essentials Work with could help you?

When you are ingesting date into splunk you must normalise it with CIM (Splunk Common Information Model). The main idea for this is to get same field names, tags etc. for different data sources (like user vs. user_id vs account). After that it's much easiest do those queries or use already done Apps.

r. Ismo

PickleRick
SplunkTrust
SplunkTrust

It is a very very general question to which - in this form - the answer can be only "list all your users' activities and sort them".

It's hard to say what data you have, what exactly can you get from your events and what the search is for (from my experience it's probably a request by someone - possibly your superior - who doesn't really know what he wants; but that's just my 20+ years of dealing with such requests talking 😉 ).

Furthermore, searching for user activities across all your indexes would be a very heavy search, would yield a humongous set of results which would be simply unusable for anything.

Such general requests are very very rarely a good thing. Try to either be more specific, or get the requestor to be more specific.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...