When searching in Splunk, it is possible to hit the share button and share the job id and the results of the job with others via the link to the search rather than copy and pasting the url itself to another person and having splunk search the entire job again.
The issue is, if I am an admin, and I am searching on an index only available to admins, I can share the job with a user that does not have admin roles and they can view the job as it runs and completes and it is available for 7 days after the fact. In index=_audit, it seems like there is no record of the sharing of the search; it just shows that someone has viewed a job that someone else has initiated. Is there a way of showing the content of the searches that were shared like I described above and the users that viewed each of the shared searches for audit purposes?
Example for clarity:
I'm admin. Sam and Nick are power users. I have access to the index called Potato. Neither Sam nor Nick have access to the index. I can share the search "index=Potato | head" to Sam using the share button and he can see the results. If Sam, without my knowledge, shares the link with Nick, there is a potential issue if I want to see who has seen the information in index=Potato. Is there a way to see that furby559 searched for "index=Potato | head" and Sam AND Nick viewed that search?
I've tried to be as clear as possible, but if something is not clear, I will reply to your comment to clarify.
Some search like this should work for you. I've partially solved it in the Search Activity App, but frankly I haven't done the best job there... if you want to jump into that app, I could craft a search that should work. It will be faster than this, slower than I would want, but would get the job done. But I would try this to meet your specific need first. I have verified that it works in a test environment.
index=_audit NOT "search_id='scheduler" user!="nobody" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" | regex _raw != "\|\s*metadata" | stats values(user) as users dc(user) as numusers by search_id | where numusers>1
You could run this search, which shows Splunk Searches by User. You might be able to tweak it a bit to only show the data you need. I tried to limit it to only searches that called the _audit index, but got no results. No time for love Dr. Jones.
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>1" | stats count by user search
In fairness, I found this search on these boards
this isn't what i was asking sadly. The search=X isn't present for people just viewing the job of someone else so this doesn't do what it was supposed to! Thanks for the attempt though c:
Did you try combination of webaccess logs/audit/remotesearches.log ?
Webaccess logs will give you the URL per user - this will be essentially the shared job URL, If you can extract the sid from the URL and go to scheduler/audit/remotesearches.log you will be able to get the actual search behind it and the number of results returned.