Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reporting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- How to get a list of reports and searches run by a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a212830
Champion
06-19-2018
11:14 AM
Hi,
I need a report that shows what searches and scheduled reports that a user has run over a timeframe. I thought it was in the DMC, but I don't see it. Can someone help me?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solarboyz1
Builder
06-19-2018
11:32 AM
index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " | history" NOT "AUTOSUMMARY" | table _time, user, search
You can reduce that to a specific user:
index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " user=${user_of_interest} | history" NOT "AUTOSUMMARY" | table _time, search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sloshburch
Splunk Employee
06-20-2018
05:57 AM
Manage search jobs may also be of interest given the formatting and filtering already implemented for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solarboyz1
Builder
06-20-2018
06:45 AM
Except......that report will only contain the jobs that haven't expired. Its based on the artifacts in the dispatch directory I believe. To get historic data, you would need to use logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solarboyz1
Builder
06-19-2018
11:32 AM
index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " | history" NOT "AUTOSUMMARY" | table _time, user, search
You can reduce that to a specific user:
index=_audit action=search search=* NOT "typeahead" NOT metadata NOT " user=${user_of_interest} | history" NOT "AUTOSUMMARY" | table _time, search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
solarboyz1
Builder
06-19-2018
11:33 AM
Correct a terrible paste accident in the "specific user" search syntax above:
index=_audit action=search search=* user=${user_of_interest} NOT "typeahead" NOT metadata NOT " | history" NOT "AUTOSUMMARY" | table _time, search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a212830
Champion
06-19-2018
11:47 AM
thanks!
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Community Content Calendar, September edition
Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...
Splunkbase Unveils New App Listing Management Public Preview
Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...
