Monitoring Splunk

Showing Previous "Shares" of searches

New Member

When searching in Splunk, it is possible to hit the share button and share the job id and the results of the job with others via the link to the search rather than copy and pasting the url itself to another person and having splunk search the entire job again.

The issue is, if I am an admin, and I am searching on an index only available to admins, I can share the job with a user that does not have admin roles and they can view the job as it runs and completes and it is available for 7 days after the fact. In index=_audit, it seems like there is no record of the sharing of the search; it just shows that someone has viewed a job that someone else has initiated. Is there a way of showing the content of the searches that were shared like I described above and the users that viewed each of the shared searches for audit purposes?

Example for clarity:
I'm admin. Sam and Nick are power users. I have access to the index called Potato. Neither Sam nor Nick have access to the index. I can share the search "index=Potato | head" to Sam using the share button and he can see the results. If Sam, without my knowledge, shares the link with Nick, there is a potential issue if I want to see who has seen the information in index=Potato. Is there a way to see that furby559 searched for "index=Potato | head" and Sam AND Nick viewed that search?

I've tried to be as clear as possible, but if something is not clear, I will reply to your comment to clarify.

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

Some search like this should work for you. I've partially solved it in the Search Activity App, but frankly I haven't done the best job there... if you want to jump into that app, I could craft a search that should work. It will be faster than this, slower than I would want, but would get the job done. But I would try this to meet your specific need first. I have verified that it works in a test environment.

index=_audit NOT "search_id='scheduler" user!="nobody" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" | regex _raw != "\|\s*metadata"  | stats values(user) as users dc(user) as numusers by  search_id | where numusers>1
0 Karma

New Member

Sadly this also doesn't work. I just shared a search with someone had them click on it and it didn't pick it up. The count for the search_id was only 1. Not sure why it doesn't work 😕

0 Karma

Builder

You could run this search, which shows Splunk Searches by User. You might be able to tweak it a bit to only show the data you need. I tried to limit it to only searches that called the _audit index, but got no results. No time for love Dr. Jones.

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>1" | stats count by user search

In fairness, I found this search on these boards

0 Karma

New Member

this isn't what i was asking sadly. The search=X isn't present for people just viewing the job of someone else so this doesn't do what it was supposed to! Thanks for the attempt though c:

0 Karma

Influencer

Did you try combination of webaccess logs/audit/remotesearches.log ?

Webaccess logs will give you the URL per user - this will be essentially the shared job URL, If you can extract the sid from the URL and go to scheduler/audit/remotesearches.log you will be able to get the actual search behind it and the number of results returned.

0 Karma

New Member

I have not, how would i go about doing that from the splunk ui? Any particular search that would yield that?

0 Karma