Reporting

Splunk Usage Audit Report

itsmevic
Communicator

Hi fellow Splunkers,

I am needing a report which provides audit metrics on the time a Splunk user spends in an app; any searches they ran, and anything else.  The more detail, the better.  Any help with this is GREATLY appreciated.  THANK YOU SO MUCH!  
0 Karma

bandit
Motivator

Query which will give the number of seconds and human readable time_spent on a splunk page. You may need to tweak the transaction parameters such as maxspan and maxpause etc. to your liking.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

index=_internal sourcetype=splunk_web_access uri_path="/en-US/app/*" * user!="-" 
| rex field=uri_path "/app/(?<splunk_app>[^/]+)/(?<splunk_view>[^/]+)" 
| eval splunk_page=splunk_app+"-"+splunk_view 
| transaction maxpause=60s user splunk_page 
| stats sum(duration) as duration by user splunk_page 
| eval time_spent=tostring(duration, "duration")
| search duration > 0

bandit
Motivator

@itsmevic here's an image showing the original source on the left side and it gets modified once I post to Splunk Answers to the right side. Possibly Chrome is encoding/decoding a few characters causing the error.

alt text

0 Karma

itsmevic
Communicator

Rob, these queries just aren't running for some reason, still getting the same error message as mentioned. Listen, i don't want to take up any more of your time but truely appreciate you trying to help me. I'm going to award you the points anyway for your efforts. Thank you.

0 Karma

bandit
Motivator

Hi @itsmevic I've vetted on a generic Splunk lab server and re-uploaded the files linked above a few minutes back. This time I did a direct copy vs copying and pasting in the browser. Hopefully they render for you now. If not, let me know I can can just paste some of the searches directly instead of the dashboards.

Rob

0 Karma

itsmevic
Communicator

Rob, thank you for your continued assistance with this. I do appreciate greatly the time and effort you are giving towards this endeavor. I've tried running the queries through again and am getting the same error:

Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left-hand side.

0 Karma

bandit
Motivator

Search 1

index=_audit sourcetype=audittrail
     | fillnull value=NULL
     | table _time host user action info

Search 2

index=_audit sourcetype=audittrail 
| fillnull value=NULL 
| table _time host user action info _raw 
| transaction user action
| table _time duration host user action info _raw

Search 3

index=_internal sourcetype=splunk_web_access uri_path="/en-US/app/*" * user!="-" 
| rex field=uri_path "/app/(?<splunk_app>[^/]+)/(?<splunk_view>[^/]+)" 
| eval splunk_page=splunk_app+"-"+splunk_view 
| top 100 user splunk_page
0 Karma

itsmevic
Communicator

Thanks for all your help, Rob!

0 Karma

bandit
Motivator

Here's a dashboard that will give some stats on the apps and dashboards that are being used.

Adding a download link as I could not get formatting preserved.
https://downloads.jordan2000.com/splunk/dashboards/popular_views.xml

0 Karma

itsmevic
Communicator

Unfortunately, the same response with this one too:

"Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left hand side.
The search job has failed due to an error. You may be able view the job in the Job Inspector."

0 Karma

bandit
Motivator

Adding a download link as I could not get formatting preserved when I post to Splunk Answers.
https://downloads.jordan2000.com/splunk/dashboards/activity_audit.xml

Adding a download link as I could not get formatting preserved when I post to Splunk Answers.
https://downloads.jordan2000.com/splunk/dashboards/popular_views.xml

0 Karma

bandit
Motivator

Here's a dashboard that will give some of the activity audit you are requesting.

Adding a download link as I could not get formatting preserved. https://downloads.jordan2000.com/splunk/dashboards/activity_audit.xml

0 Karma

itsmevic
Communicator

Thanks, Rob.

Wow! Now, thats a search! Unfortunately, when I ran it, it is giving me this error:

"Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left-hand side."

I went through the query but didn't see anything abnormal. I've over-looked it somewhere within then 819 lines of SPL. By chance, would you be able to pinpoint it?

0 Karma

bandit
Motivator
I think it's line 127. When I post here, it URL decodes the dashboard source where as when I view my dashboard's source in Splunk it has the &lt and &gt

original source:
| rex field=id "/users/(?&lt;user&gt;.+)$" 
0 Karma

itsmevic
Communicator

Thanks for the response, Rob. I basically copied and pasted your original source to the query itself but unfortunately, Splunk is still choking. Getting same error:

"Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left-hand side."

This query looks like it pulls some meaningful info. I am excited to see first hand if we can get it to work.

0 Karma

bandit
Motivator

Take a look at the builtin Splunk Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview - it has many reports already built which you could copy and customize to your needs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...