Archive

Identify users and searches searching over all time

Splunk Employee
Splunk Employee

Is there a way to query the internal logs to see the timeframe over which searches ran specifically if they were run over all time? I've looked through Splunk On Splunk (SoS), but I can't find a way to understand the timeframe over which a search was executed.

Tags (1)
0 Karma
1 Solution

Revered Legend

Using _audit index

index=_audit action="search" search="*" | table user, apiStartTime, apiEndTime

If apiStartTime='ZERO_TIME' and apiEndTime='ZERO_TIME', its search ran on "All Times" [basically earliest date to now]

Update

You may get total run time with following.

index=_audit action="search" info="completed" | table user, total_run_time, api_et, api_lt,result_count | eval api_et=strftime(api_et,"%m/%d/%Y %H:%M:%S:%3Q") | eval api_lt=strftime(api_lt,"%m/%d/%Y %H:%M:%S:%3Q")

Note: You will not get what search string you executed. Also, somehow it was not showing all the searches that I executed, so check that as well.

View solution in original post

SplunkTrust
SplunkTrust

I have a couple of alerts for this in Alerts for Splunk Admins or look directly in the savedsearches.conf here

SearchHeadLevel - Scheduled Searches without a configured earliest and latest time

The above is for scheduled searches only, the post by tioumen9x is querying the audit logs will get you anyone who searched all time which might be what you want to check as well...

0 Karma

Engager

This works for us

index=_audit action="search" search="*" 
| where user!="admin"
| table _time, user, apiStartTime, apiEndTime 
| search apiStartTime='ZERO_TIME' apiEndTime='ZERO_TIME' 
| timechart limit=0 count by user

We are now able to alert these users directly thru email.

0 Karma

Engager

a bit more accurate, and as we are linked with the LDAP we are able to have specific information related to the user (i.e. email ...)

index=_audit action="search" search="" NOT search="'|" user!="admin" user!="splunk-system-user" apiStartTime='ZERO_TIME' apiEndTime='ZERO_TIME'
| table _time, user, apiStartTime, apiEndTime
| stats count by user
| table user, count
| sort - count
| join type=left user
[| rest splunk_server=local /services/authentication/users/
| table email, title
| rename title as user]
| table user, count, email

0 Karma

Revered Legend

Using _audit index

index=_audit action="search" search="*" | table user, apiStartTime, apiEndTime

If apiStartTime='ZERO_TIME' and apiEndTime='ZERO_TIME', its search ran on "All Times" [basically earliest date to now]

Update

You may get total run time with following.

index=_audit action="search" info="completed" | table user, total_run_time, api_et, api_lt,result_count | eval api_et=strftime(api_et,"%m/%d/%Y %H:%M:%S:%3Q") | eval api_lt=strftime(api_lt,"%m/%d/%Y %H:%M:%S:%3Q")

Note: You will not get what search string you executed. Also, somehow it was not showing all the searches that I executed, so check that as well.

View solution in original post

Revered Legend

See if updated answer help you to some extent.

0 Karma

Splunk Employee
Splunk Employee

Thanks that does it. Unfortunately though those events don't include the total_run_time field so you can't tell how long they took to execute.

0 Karma