Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes?

cass_major
Engager
‎06-19-2023 11:15 PM

Hello,

Could anyone offer an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes please?

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 01:12 AM

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 01:12 AM

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

0 Karma
Reply
Solved! Jump to solution

cass_major
Engager
‎06-20-2023 07:05 PM

Thank you isoutamo. Any advice how to drill down to a particular user with the SPL? I am trying to find anyone who isn't properly constraining their searches by index.

Cheers,

Cass

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 11:52 PM

The above SPL shows to you all those ad-hoc queries (not saved searches like alerts etc.). You can see the users who are running those. Just limit searches by user etc. and you probably get what you are wanting.

One good tool is MC which helps you to find long running or other expensive queries.

There is also some apps on splunkbase and in GitHub which you could use for that:

There are lot of other apps on net which you could try and get more information about what is happening on your environment.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...