Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the user shown in the results is not the user who is running the query?

IRHM73
Motivator
‎02-11-2016 11:51 PM

Hi,

I wonder whether someone may be able to help me please.

I'm running the query below to obtain information about searches that are being run on Splunk and the query works fine.

|rest /services/search/jobs  
|rename custom.search as customSearch  
|search NOT author="splunk-system-user"  
|eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
|search SearchString!=""

The problem I have is that the user shown in the results is not the user who is running the query, often through an app, but rather the owner of the app and developer of the query i.e. me.

So I tried another query I found (see below) which does extract the person who is performing the search, but unlike the first query doesn't report the time range used and the duration of the search, well not that I can find.

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort user | fields user search _time

Could someone tell me please it possible to use a query which will retrieve the following data:

  • Owner of search
  • User of search
  • Search
  • Date Range Used In Search
  • Duration of the search
  • App Used

Many thanks and kind regards

Chris

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎02-12-2016 02:00 AM

Hi,

Trying joining both queries with search_id and see if that helps:

index=_audit action=search info=granted search=* 
    NOT "search_id='scheduler" 
    NOT "search='|history" 
    NOT "user=splunk-system-user" 
    NOT "search='typeahead" 
    NOT "search='| metadata type=* | search totalCount>0"
| fields user, search, _time, search_id
| eval search_id = trim(replace(search_id, "\'", ""))
| join search_id [
    | rest /services/search/jobs
    | search NOT author="splunk-system-user"
    | rename custom.search as customSearch, sid AS search_id  
    | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
    | search SearchString!=""
    | eval search_id = trim(replace(search_id, "\'", ""))
]

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎06-29-2022 11:47 AM

This is a pretty complex problem - part of the puzzle is in the audit log's info="granted" event,  another part is in the audit log's info="completed" event,   even more of it is over in the introspection index.

Then of course for jobs that still exist on the filesystem there is a wealth more info you can get from the rest command or by a custom search command that inspects info.csv and status.csv.

I recommend checking out an app that we released recently called Sideview UI -   specifically the view within that app called "user_activity".

This will do all of this for you,  sidestep pretty thorny autokv problems in the audit data,  and not just give you all of this per search, but also present stats and rollups by user,  app, dashboard,   even by sourcetypes-that-were-actually-searched

it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user,  by-app,  by-sourcetype rollups etc.   So that admins can try and pick off the worst offenders first.

it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/

and there's a #sideview_ui channel for it in the community slack.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎02-12-2016 02:05 AM

Hi
try this 

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" |table *

and specify certains information that you want for example see the following

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" |table user search maxtime timestamp

![alt text][1]

Preview file
1 KB
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-16-2016 01:20 AM

Hi @chimell, thank you for taking the time to come back to me with this and my apologies for not replying sooner.

The query works great.

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

josf999
New Member
‎09-21-2016 01:09 AM

@Chimell
Thanks a lot.Your query works great....

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎02-12-2016 02:00 AM

Hi,

Trying joining both queries with search_id and see if that helps:

index=_audit action=search info=granted search=* 
    NOT "search_id='scheduler" 
    NOT "search='|history" 
    NOT "user=splunk-system-user" 
    NOT "search='typeahead" 
    NOT "search='| metadata type=* | search totalCount>0"
| fields user, search, _time, search_id
| eval search_id = trim(replace(search_id, "\'", ""))
| join search_id [
    | rest /services/search/jobs
    | search NOT author="splunk-system-user"
    | rename custom.search as customSearch, sid AS search_id  
    | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
    | search SearchString!=""
    | eval search_id = trim(replace(search_id, "\'", ""))
]
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-15-2016 05:57 AM

Hi @javiergn, thank you for taking the time to come back to me with this and my apologies for not coming back to you sooner.

The query works great and returns the information I need.

Once again many thanks and kind regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...