Splunk Search

Excluding my own activity from searches in audit index

chris94089
Path Finder

Searching for events in _audit is special because when I run a search, my own ad-hoc search gets added to the returned events.  I end up literally chasing my own tail.

Is there a search term I can add inline to tell splunk I want the "original" event, and not results from my own search activity on the said event?  I know I can use a NOT user=me, but that's super explicit and that can't be the solution.

There has to be a feature to handle this, right?

Thanks

Labels (2)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

in dashboards you could use $env:user$ to refer current user.

r. Ismo

View solution in original post

anmolpatel
Builder
 
0 Karma

splunkcol
Builder

hi, @anmolpatel 

Configure a receiver using Splunk Web = ok

Configure a receiver using the command line = "Failed to create. Configuration for port 9997 already exists."


Configure a receiver using a configuration file=

root@indexador1:......./splunk/etc/system/local# more inputs.conf
[default]
host = indexador1

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, there is a feature to limit the results returned in a ssarch.  It's called where, as in 

| where NOT user=me

 Often, you can include this in the base search

index=_audit NOT user=me

 

😀 

---
If this reply helps you, Karma would be appreciated.
0 Karma

chris94089
Path Finder

My concern with using user=me is "me" is explicit and not dynamic.  If I make a dashboard based on this and another admin goes to it, will it return the results as expected?

In other words, when other users access dashboards I have shared, are searches that are run tied to them, or the original dashboard creator?

If searches are tied to the user, then the filter above won't work as expected, since _audit will pick up user=otherperson and audit will add their own ad-hoc search to the results, NOT user=me will still be in there, but it won't filter the one using the actual dashboard at the time.

If the searches are somehow tied to original search creator, then I suppose it would work, but I don't know a way to be sure.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

in dashboards you could use $env:user$ to refer current user.

r. Ismo

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...