Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tracking overall user activities using Splunk

mchoudhary
Explorer
‎09-10-2025 12:04 PM

I need to build an overall user activities report as in login activities, file accessed, file exported, application accessed, failed attempts etc., which ever potential tracking can be done using Splunk or a user.

I am not sure how to approach this.
Can someone help me with which index, or Data model I should start with to get this kind of information.
Any help would be really appreciated.

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎09-10-2025 09:30 PM

@mchoudhary 

As others mentioned, specify your requirement.

Do you want to track user activities from other systems(like OS, Network devices, security devices..) or from Splunk itself?
If you use Splunk Enterprise Security (ES), the relevant data models(like Authentication, Change...) are available(if you configfure cim complaint data onboarding). for core Splunk, you need to onboard and normalize data accordingly and create dashboards/reports based on your requirements. 

For Splunk audit activity - Latest Splunk comes with Splunk Audit trail App. It provides real-time visibility into user activity and knowledge object changes using data from the _audit index.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

mchoudhary
Explorer
‎09-11-2025 08:37 AM

@PrewinThomas ,
Yes, I want to track user activities from other systems (like OS, Network devices, security devices..) 
and I have authentication data model available.
I want to track user's activities like logins, files accessed/exported, application/server accessed etc.

I am confused if I should query wineventsecurity logs or authentication datamodel. or if there is any particular index in general which tracks these kinds of events in splunk.

Thank you replying back!

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-10-2025 03:01 PM

Hiv @mchoudhary ,

your question is too vague:

which kind of logs are you speaking for (windows, Linux, Splunk, etc...), what is the technology you are using?

have you already ingested these logs in Splunk or must you ingest them?

Ciao.

Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-10-2025 12:16 PM

It's not clear if you want to use Splunk to track user activity on other systems or if you want to track what users do in Spunk itself.

The former will depend on what events are sent from the systems of interest to Splunk.  These probably will include Windows event logs and/or Linux audit logs.

The latter can be done by searching _audit and _internal (especially the splunkd_access and splunkd_ui_access sources).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mchoudhary
Explorer
‎09-11-2025 07:44 AM

@richgalloway ,

I am trying to build a spl query/report for general user tracking across splunk and not what users do in Spunk itself. Activities like login tracking, reports they accessed, application accessed, files they exported etc, or any potential activities that can be tracked for a user in splunk. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2025 07:56 AM

Splunk can only track what is reported to it.  That means all systems must send logins, report and application accesses, file exports, etc.,  to Splunk.  Then you can use that data to build reports and alerts.

Specifics will depend on what platforms and application you have as well as company policies.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...