Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Excluding my own activity from searches in audit index

chris94089
Path Finder
‎07-20-2020 12:21 PM

Searching for events in _audit is special because when I run a search, my own ad-hoc search gets added to the returned events.  I end up literally chasing my own tail.

Is there a search term I can add inline to tell splunk I want the "original" event, and not results from my own search activity on the said event?  I know I can use a NOT user=me, but that's super explicit and that can't be the solution.

There has to be a feature to handle this, right?

Thanks

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-20-2020 01:30 PM

Hi

in dashboards you could use $env:user$ to refer current user.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

anmolpatel
Builder
‎07-20-2020 08:59 PM
 
0 Karma
Reply
Solved! Jump to solution

splunkcol
Builder
‎07-21-2020 05:14 AM

hi, @anmolpatel 

Configure a receiver using Splunk Web = ok

Configure a receiver using the command line = "Failed to create. Configuration for port 9997 already exists."


Configure a receiver using a configuration file=

root@indexador1:......./splunk/etc/system/local# more inputs.conf
[default]
host = indexador1

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2020 12:42 PM

Yes, there is a feature to limit the results returned in a ssarch.  It's called where, as in 

| where NOT user=me

 Often, you can include this in the base search

index=_audit NOT user=me

 

😀 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

chris94089
Path Finder
‎07-20-2020 01:22 PM

My concern with using user=me is "me" is explicit and not dynamic.  If I make a dashboard based on this and another admin goes to it, will it return the results as expected?

In other words, when other users access dashboards I have shared, are searches that are run tied to them, or the original dashboard creator?

If searches are tied to the user, then the filter above won't work as expected, since _audit will pick up user=otherperson and audit will add their own ad-hoc search to the results, NOT user=me will still be in there, but it won't filter the one using the actual dashboard at the time.

If the searches are somehow tied to original search creator, then I suppose it would work, but I don't know a way to be sure.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-20-2020 01:30 PM

Hi

in dashboards you could use $env:user$ to refer current user.

r. Ismo

Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...