Archive
Highlighted

_audit index assistance

Engager

Does anyone know how to setup a stats table for the _audit with all data in that index? Mainly listing all the data in the index that contain searched data or event a sample of searches you performed. Please help.

Tags (1)
0 Karma
Highlighted

Re: _audit index assistance

Ultra Champion

If you want to know who ran what searches, and how many times, you could start with something like this:

index=_audit user=* action=search search=* sourcetype=audittrail | stats count(user) by search, user

0 Karma