Archive
Highlighted

Historical searches for multisearch command

Communicator

Does anyone know of a way to search all search histories containing |multisearch? Based on the previous answer, this query shows all searches using multisearch as a seperate row.
For example this multisearch below would show up as two seperate searches in the search history rather than 1 containing the word multisearch

|multisearch
[search 1]
[search 2]

https://answers.splunk.com/answers/12477/get-users-search-history.html
index=audit action=search info=granted search=* NOT "searchid='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search time | sort _time | convert ctime(time) | stats list(_time) as time list(search) as search by user

0 Karma
Highlighted

Re: Historical searches for multisearch command

SplunkTrust
SplunkTrust

works nice for me to look for them in the _audit index ...
wrote a quick search:

| multisearch
[ search earliest=-1m@m index=_internal | eval marker="mark" ] 
[ search earliest=-1m@m index=_audit | eval marker="mark" ]

then looked for this search at the _audit index:

something like this:

index = _audit action=search info=granted multisearch
| rex field=search "\[(?<first_search>[^\]]+)\].*+[\r\n]\[(?<second_search>[^\]]+)"

then you can look at the values for first_search and second_search

note, you might want to modify the rex to fit your requirement, just observe the values of the search field in the _audit index
another tip: change the values for marker when you are running your test searches, splunk supposed to automatically capture them in _audit so you can verify the strings are recorded accordingly.
index = _audit action=search info=granted | stats count by search marker

hope it helps

0 Karma