Splunk Enterprise

Is there an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes?

cass_major
Engager

Hello,

Could anyone offer an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes please?

Thank you

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

0 Karma

cass_major
Engager

Thank you isoutamo. Any advice how to drill down to a particular user with the SPL? I am trying to find anyone who isn't properly constraining their searches by index.

Cheers,

Cass

0 Karma

isoutamo
SplunkTrust
SplunkTrust

The above SPL shows to you all those ad-hoc queries (not saved searches like alerts etc.). You can see the users who are running those. Just limit searches by user etc. and you probably get what you are wanting.

One good tool is MC which helps you to find long running or other expensive queries.

There is also some apps on splunkbase and in GitHub which you could use for that:

There are lot of other apps on net which you could try and get more information about what is happening on your environment.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...