I am working on a dashboard that displays previous queries in splunk.
I can find the previous queries using the history command or by searching _audit.
experiments tells me that the |history command, only displays history relative to the current app.
Is there a workaround for that?
I get in to trouble with Ops, who claim that normal users can't get access to the _audit index.
What would be the worst thing that could happen, if we gave regular users access to _audit?
history command returns only your last commands (the current user), this is security related and there is no workaround.
_audit index will do no harm, but you don't have to grant permission for the users to it 😉
Create a saved search that will query
_audit for the searches and summary index the results into a user friendly accessible index.
All happy 🙂
Hope that helps ...
So being on the administration side, I would recommend being mindful of possibilities of opening access to others searches to the general user. For a scenario, say someone accidentally starts indexing passwords, the presence of searches looking for specific users or passwords could give a 3rd party an idea of the breach themselves, or it could be another vector for compromise (how many Splunk searches have you kicked off by accidentally clicking when trying to highlight results to copy/paste?) or give information about the possibility of the other ways to compromise monitored systems. Now the risk from this is likely minimal (non-zero, but likely minimal) but like all other data in Splunk, think about what needs are met by individuals seeing such and what risks are present by enabling such access and what your organization's tolerance for those risk for this meta data around systems monitored by Splunk 🙂
I was able to work around my problem using a scheduled search as you suggest.
This is my working code snippets from my app, for anyone who comes here after me 🙂
cronschedule = * * * * *
dispatch.earliesttime = -1m@m
dispatch.latesttime = now
enableSched = 1
search = index=audit \
| where search not null \
| rex field=search "^'search (?<searchstring>.)'$" \
| where searchstring not null \
| where user != "admin" \
| rex field=searchstring max_match=10 "index=([\"'])?(?<index>\S+)([\"'])?" \
| rex field=index ".?(?<asteriks>).?" \
| eval wildcards=if (isnull(asteriks),"Y","N") \
| fields time, user, searchstring, index, wildcards \
| outputlookup append=true createinapp=true auditsearchhistory
enforceTypes = true
externaltype = kvstore
collection = auditsearchhistory
fieldslist = time, user, searchstring, index, wildcards
timefield = _time
field.time = time
field.user = string
field.search_string = string
field.index = string
field.index = wildcards