Splunk Search

how to know the search history by user, but only the searches you type

efaundez
Path Finder

Sorry for the inconvenience, but I'm looking for a query that only shows the searches typed by users, because when I check in the audit it shows me the querys programmed.

your attention is appreciated.

regards

0 Karma

JDukeSplunk
Builder

I think the posted answer will show saved searches, and not typed searches. I use this one, which is basically the same search as the answer

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>1" 
| stats count by user search

renjith_nair
SplunkTrust
SplunkTrust

@efaundez,

Please find below search provided by @niketnilay in a comment in https://answers.splunk.com/answers/170477/how-do-i-get-a-list-of-all-searches-performed-in-s.html

 index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=sourcetypes | search totalCount > 0"
 | stats count by _time user search savedsearch_name  
 | where savedsearch_name=""
 | fields - savedsearch_name
Happy Splunking!

efaundez
Path Finder

Thanks for your answer, check the 2 queries and they are showing me searches that are stored in dashboard and programmed.

Check my history and I see many searches with | inputlookup ... which is not typed 😞

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...