Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Identify users and searches searching over all time

jklumpp_splunk
Splunk Employee
Splunk Employee
‎11-19-2013 11:25 AM

Is there a way to query the internal logs to see the timeframe over which searches ran specifically if they were run over all time? I've looked through Splunk On Splunk (SoS), but I can't find a way to understand the timeframe over which a search was executed.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎11-19-2013 11:49 AM

Using _audit index

index=_audit action="search" search="*" | table user, apiStartTime, apiEndTime

If apiStartTime='ZERO_TIME' and apiEndTime='ZERO_TIME', its search ran on "All Times" [basically earliest date to now]

Update

You may get total run time with following.

index=_audit action="search" info="completed" | table user, total_run_time, api_et, api_lt,result_count | eval api_et=strftime(api_et,"%m/%d/%Y %H:%M:%S:%3Q") | eval api_lt=strftime(api_lt,"%m/%d/%Y %H:%M:%S:%3Q")

Note: You will not get what search string you executed. Also, somehow it was not showing all the searches that I executed, so check that as well.

View solution in original post

Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-01-2018 03:57 PM

I have a couple of alerts for this in Alerts for Splunk Admins or look directly in the savedsearches.conf here

SearchHeadLevel - Scheduled Searches without a configured earliest and latest time

The above is for scheduled searches only, the post by tioumen9x is querying the audit logs will get you anyone who searched all time which might be what you want to check as well...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

tioumen9x
Engager
‎08-01-2018 08:31 AM

This works for us 

index=_audit action="search" search="*" 
| where user!="admin"
| table _time, user, apiStartTime, apiEndTime 
| search apiStartTime='ZERO_TIME' apiEndTime='ZERO_TIME' 
| timechart limit=0 count by user

We are now able to alert these users directly thru email.

0 Karma
Reply
Solved! Jump to solution

tioumen9x
Engager
‎08-02-2018 01:11 AM

a bit more accurate, and as we are linked with the LDAP we are able to have specific information related to the user (i.e. email ...)

index=_audit action="search" search="" NOT search="'|" user!="admin" user!="splunk-system-user" apiStartTime='ZERO_TIME' apiEndTime='ZERO_TIME'
| table _time, user, apiStartTime, apiEndTime
| stats count by user
| table user, count
| sort - count
| join type=left user
[| rest splunk_server=local /services/authentication/users/
| table email, title
| rename title as user]
| table user, count, email

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎11-19-2013 11:49 AM

Using _audit index

index=_audit action="search" search="*" | table user, apiStartTime, apiEndTime

If apiStartTime='ZERO_TIME' and apiEndTime='ZERO_TIME', its search ran on "All Times" [basically earliest date to now]

Update

You may get total run time with following.

index=_audit action="search" info="completed" | table user, total_run_time, api_et, api_lt,result_count | eval api_et=strftime(api_et,"%m/%d/%Y %H:%M:%S:%3Q") | eval api_lt=strftime(api_lt,"%m/%d/%Y %H:%M:%S:%3Q")

Note: You will not get what search string you executed. Also, somehow it was not showing all the searches that I executed, so check that as well.

Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎11-19-2013 12:13 PM

See if updated answer help you to some extent.

0 Karma
Reply
Solved! Jump to solution

jklumpp_splunk
Splunk Employee
Splunk Employee
‎11-19-2013 12:00 PM

Thanks that does it. Unfortunately though those events don't include the total_run_time field so you can't tell how long they took to execute.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...