Solved: How to get a list of reports and searches run by a...

a212830 · ‎06-19-2018

Hi,

I need a report that shows what searches and scheduled reports that a user has run over a timeframe. I thought it was in the DMC, but I don't see it. Can someone help me?

solarboyz1 · ‎06-19-2018

index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " | history" NOT "AUTOSUMMARY" | table _time, user, search

You can reduce that to a specific user:

index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " user=${user_of_interest} | history" NOT "AUTOSUMMARY" | table _time,  search

View solution in original post

sloshburch · ‎06-20-2018

Manage search jobs may also be of interest given the formatting and filtering already implemented for you.

solarboyz1 · ‎06-20-2018

Except......that report will only contain the jobs that haven't expired. Its based on the artifacts in the dispatch directory I believe. To get historic data, you would need to use logs.

solarboyz1 · ‎06-19-2018

index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " | history" NOT "AUTOSUMMARY" | table _time, user, search

You can reduce that to a specific user:

index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " user=${user_of_interest} | history" NOT "AUTOSUMMARY" | table _time,  search

solarboyz1 · ‎06-19-2018

Correct a terrible paste accident in the "specific user" search syntax above:

index=_audit action=search search=* user=${user_of_interest} NOT "typeahead" NOT metadata NOT " | history" NOT "AUTOSUMMARY" | table _time, search

a212830 · ‎06-19-2018

thanks!

How to get a list of reports and searches run by a specific user?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?