Monitoring Splunk

_audit index assistance


Does anyone know how to setup a stats table for the _audit with all data in that index? Mainly listing all the data in the index that contain searched data or event a sample of searches you performed. Please help.

Tags (1)
0 Karma

Ultra Champion

If you want to know who ran what searches, and how many times, you could start with something like this:

index=_audit user=* action=search search=* sourcetype=audittrail | stats count(user) by search, user

If my comment helps, please give it a thumbs up!
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!