Is there a way to query the internal logs to see the timeframe over which searches ran specifically if they were run over all time? I've looked through Splunk On Splunk (SoS), but I can't find a way to understand the timeframe over which a search was executed.
Using _audit index
index=_audit action="search" search="*" | table user, apiStartTime, apiEndTime
If apiStartTime='ZERO_TIME' and apiEndTime='ZERO_TIME', its search ran on "All Times" [basically earliest date to now]
You may get total run time with following.
index=_audit action="search" info="completed" | table user, total_run_time, api_et, api_lt,result_count | eval api_et=strftime(api_et,"%m/%d/%Y %H:%M:%S:%3Q") | eval api_lt=strftime(api_lt,"%m/%d/%Y %H:%M:%S:%3Q")
Note: You will not get what search string you executed. Also, somehow it was not showing all the searches that I executed, so check that as well.
I have a couple of alerts for this in Alerts for Splunk Admins or look directly in the savedsearches.conf here
SearchHeadLevel - Scheduled Searches without a configured earliest and latest time
The above is for scheduled searches only, the post by tioumen9x is querying the audit logs will get you anyone who searched all time which might be what you want to check as well...
This works for us
index=_audit action="search" search="*"
| where user!="admin"
| table _time, user, apiStartTime, apiEndTime
| search apiStartTime='ZERO_TIME' apiEndTime='ZERO_TIME'
| timechart limit=0 count by user
We are now able to alert these users directly thru email.
a bit more accurate, and as we are linked with the LDAP we are able to have specific information related to the user (i.e. email ...)
index=_audit action="search" search="" NOT search="'|" user!="admin" user!="splunk-system-user" apiStartTime='ZERO_TIME' apiEndTime='ZERO_TIME'
| table _time, user, apiStartTime, apiEndTime
| stats count by user
| table user, count
| sort - count
| join type=left user
[| rest splunk_server=local /services/authentication/users/
| table email, title
| rename title as user]
| table user, count, email
Using _audit index
index=_audit action="search" search="*" | table user, apiStartTime, apiEndTime
If apiStartTime='ZERO_TIME' and apiEndTime='ZERO_TIME', its search ran on "All Times" [basically earliest date to now]
You may get total run time with following.
index=_audit action="search" info="completed" | table user, total_run_time, api_et, api_lt,result_count | eval api_et=strftime(api_et,"%m/%d/%Y %H:%M:%S:%3Q") | eval api_lt=strftime(api_lt,"%m/%d/%Y %H:%M:%S:%3Q")
Note: You will not get what search string you executed. Also, somehow it was not showing all the searches that I executed, so check that as well.
See if updated answer help you to some extent.
Thanks that does it. Unfortunately though those events don't include the total_run_time field so you can't tell how long they took to execute.