Solved: How to audit REST api initiated searches?

the_wolverine · ‎07-10-2013

I'm looking to audit REST API search activity and I'm unable to locate any logging of REST API initiated searches. I just need to know what queries are being run and by whom.

somesoni2 · ‎07-10-2013

Following query provides list of all the searches being executed by all the users (including scheduled searches and REST API searches

index=_audit action="search" search="*"

Further, you can differentiate Scheduled searches with adhoc searches using following:

|eval adhoc=if(NOT user="splunk-system-user",1,0) | eval schd=if(user="splunk-system-user",1,0)

View solution in original post

somesoni2 · ‎07-10-2013

Following query provides list of all the searches being executed by all the users (including scheduled searches and REST API searches

index=_audit action="search" search="*"

Further, you can differentiate Scheduled searches with adhoc searches using following:

|eval adhoc=if(NOT user="splunk-system-user",1,0) | eval schd=if(user="splunk-system-user",1,0)

the_wolverine · ‎07-10-2013

We have a case where they are not being logged so I'm going to track it down. Thanks for your response.

How to audit REST api initiated searches?

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...