Solved: How to audit REST api initiated searches?

the_wolverine · ‎07-10-2013

I'm looking to audit REST API search activity and I'm unable to locate any logging of REST API initiated searches. I just need to know what queries are being run and by whom.

somesoni2 · ‎07-10-2013

Following query provides list of all the searches being executed by all the users (including scheduled searches and REST API searches

index=_audit action="search" search="*"

Further, you can differentiate Scheduled searches with adhoc searches using following:

|eval adhoc=if(NOT user="splunk-system-user",1,0) | eval schd=if(user="splunk-system-user",1,0)

View solution in original post

somesoni2 · ‎07-10-2013

Following query provides list of all the searches being executed by all the users (including scheduled searches and REST API searches

index=_audit action="search" search="*"

Further, you can differentiate Scheduled searches with adhoc searches using following:

|eval adhoc=if(NOT user="splunk-system-user",1,0) | eval schd=if(user="splunk-system-user",1,0)

the_wolverine · ‎07-10-2013

We have a case where they are not being logged so I'm going to track it down. Thanks for your response.

How to audit REST api initiated searches?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation