Getting Data In

Know what SourceTypes are being consulted by Users

New Member

Hello Community,

I am the administrator for a medium Splunk infrastructure
my manager came this morning and asked.

can you run a report of what users are being logged into Splunk and what searches have ran?
what of our different indexes and datasources are they being looked at?

is this possible?

Thank you!

Tags (2)
0 Karma


Hi mmcarty,
You can find Splunk logged Users in -audit index running a search like this

index=_audit "action=login attempt"

Instead you can find infomation abour runned searches on _internal

index=_internal "search=" index

and then extract sourcetype and index fields.

Remember that in this way you find only searches where index and sourcetypes are in the search, if you have eventtypes (I usually do it!) you have to search also eventtypes.


0 Karma