Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes?

cass_major
Engager
‎06-19-2023 11:15 PM

Hello,

Could anyone offer an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes please?

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 01:12 AM

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 01:12 AM

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

0 Karma
Reply
Solved! Jump to solution

cass_major
Engager
‎06-20-2023 07:05 PM

Thank you isoutamo. Any advice how to drill down to a particular user with the SPL? I am trying to find anyone who isn't properly constraining their searches by index.

Cheers,

Cass

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 11:52 PM

The above SPL shows to you all those ad-hoc queries (not saved searches like alerts etc.). You can see the users who are running those. Just limit searches by user etc. and you probably get what you are wanting.

One good tool is MC which helps you to find long running or other expensive queries.

There is also some apps on splunkbase and in GitHub which you could use for that:

There are lot of other apps on net which you could try and get more information about what is happening on your environment.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...