Archive
Highlighted

Identify users and searches searching over all time

Splunk Employee
Splunk Employee

Is there a way to query the internal logs to see the timeframe over which searches ran specifically if they were run over all time? I've looked through Splunk On Splunk (SoS), but I can't find a way to understand the timeframe over which a search was executed.

Tags (1)
0 Karma
Highlighted

Re: Identify users and searches searching over all time

SplunkTrust
SplunkTrust

Using _audit index

index=_audit action="search" search="*" | table user, apiStartTime, apiEndTime

If apiStartTime='ZEROTIME' and apiEndTime='ZEROTIME', its search ran on "All Times" [basically earliest date to now]

Update

You may get total run time with following.

index=_audit action="search" info="completed" | table user, total_run_time, api_et, api_lt,result_count | eval api_et=strftime(api_et,"%m/%d/%Y %H:%M:%S:%3Q") | eval api_lt=strftime(api_lt,"%m/%d/%Y %H:%M:%S:%3Q")

Note: You will not get what search string you executed. Also, somehow it was not showing all the searches that I executed, so check that as well.

View solution in original post

Highlighted

Re: Identify users and searches searching over all time

Splunk Employee
Splunk Employee

Thanks that does it. Unfortunately though those events don't include the totalruntime field so you can't tell how long they took to execute.

0 Karma
Highlighted

Re: Identify users and searches searching over all time

SplunkTrust
SplunkTrust

See if updated answer help you to some extent.

0 Karma
Highlighted

Re: Identify users and searches searching over all time

Engager

This works for us

index=_audit action="search" search="*" 
| where user!="admin"
| table _time, user, apiStartTime, apiEndTime 
| search apiStartTime='ZERO_TIME' apiEndTime='ZERO_TIME' 
| timechart limit=0 count by user

We are now able to alert these users directly thru email.

0 Karma
Highlighted

Re: Identify users and searches searching over all time

Engager

a bit more accurate, and as we are linked with the LDAP we are able to have specific information related to the user (i.e. email ...)

index=audit action="search" search="" NOT search="'|" user!="admin" user!="splunk-system-user" apiStartTime='ZEROTIME' apiEndTime='ZEROTIME'
| table _time, user, apiStartTime, apiEndTime
| stats count by user
| table user, count
| sort - count
| join type=left user
[| rest splunk
server=local /services/authentication/users/
| table email, title
| rename title as user]
| table user, count, email

0 Karma
Highlighted

Re: Identify users and searches searching over all time

SplunkTrust
SplunkTrust

I have a couple of alerts for this in Alerts for Splunk Admins or look directly in the savedsearches.conf here

SearchHeadLevel - Scheduled Searches without a configured earliest and latest time

The above is for scheduled searches only, the post by tioumen9x is querying the audit logs will get you anyone who searched all time which might be what you want to check as well...

0 Karma