Searching for events in _audit is special because when I run a search, my own ad-hoc search gets added to the returned events. I end up literally chasing my own tail.
Is there a search term I can add inline to tell splunk I want the "original" event, and not results from my own search activity on the said event? I know I can use a NOT user=me, but that's super explicit and that can't be the solution.
There has to be a feature to handle this, right?
Configure a receiver using Splunk Web = ok
Configure a receiver using the command line = "Failed to create. Configuration for port 9997 already exists."
Configure a receiver using a configuration file=
root@indexador1:......./splunk/etc/system/local# more inputs.conf
host = indexador1
Yes, there is a feature to limit the results returned in a ssarch. It's called where, as in
| where NOT user=me
Often, you can include this in the base search
index=_audit NOT user=me
My concern with using user=me is "me" is explicit and not dynamic. If I make a dashboard based on this and another admin goes to it, will it return the results as expected?
In other words, when other users access dashboards I have shared, are searches that are run tied to them, or the original dashboard creator?
If searches are tied to the user, then the filter above won't work as expected, since _audit will pick up user=otherperson and audit will add their own ad-hoc search to the results, NOT user=me will still be in there, but it won't filter the one using the actual dashboard at the time.
If the searches are somehow tied to original search creator, then I suppose it would work, but I don't know a way to be sure.