Reporting

User audit report

mcrouse
New Member

Hello, I am enhancing an existing Splunk instance and I want to build or find a report that will tell me who accessed the system and when, and what searches or reports they ran. Is there a canned report that will tell me this information? If not, can someone help me define the search to turn up this information? Thanks.

Tags (3)
0 Karma

somesoni2
Revered Legend

You may want to look at the reports provided by SOS (splunk-on-splunk) app. They have reports with data like "UI Search Activity by User","Recent Usage by User (Non-Scheduled Only)"

0 Karma

lguinn2
Legend

This may be close to what you want:

index=_audit action=search search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY" 

You may want to play around with it to include/eliminate certain searches.

0 Karma

splunkn
Communicator

Hi Iguinn. Its a good answer. Could you please explain you have eliminated few words like typeahead metadata history and autosummary. I am able see the differences but am not able to understand the exact purpose

Thanks in advance

0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...