Splunk Search

Excluding my own activity from searches in audit index

chris94089
Path Finder

Searching for events in _audit is special because when I run a search, my own ad-hoc search gets added to the returned events.  I end up literally chasing my own tail.

Is there a search term I can add inline to tell splunk I want the "original" event, and not results from my own search activity on the said event?  I know I can use a NOT user=me, but that's super explicit and that can't be the solution.

There has to be a feature to handle this, right?

Thanks

Labels (2)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

in dashboards you could use $env:user$ to refer current user.

r. Ismo

View solution in original post

anmolpatel
Builder
 
0 Karma

splunkcol
Builder

hi, @anmolpatel 

Configure a receiver using Splunk Web = ok

Configure a receiver using the command line = "Failed to create. Configuration for port 9997 already exists."


Configure a receiver using a configuration file=

root@indexador1:......./splunk/etc/system/local# more inputs.conf
[default]
host = indexador1

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, there is a feature to limit the results returned in a ssarch.  It's called where, as in 

| where NOT user=me

 Often, you can include this in the base search

index=_audit NOT user=me

 

😀 

---
If this reply helps you, Karma would be appreciated.
0 Karma

chris94089
Path Finder

My concern with using user=me is "me" is explicit and not dynamic.  If I make a dashboard based on this and another admin goes to it, will it return the results as expected?

In other words, when other users access dashboards I have shared, are searches that are run tied to them, or the original dashboard creator?

If searches are tied to the user, then the filter above won't work as expected, since _audit will pick up user=otherperson and audit will add their own ad-hoc search to the results, NOT user=me will still be in there, but it won't filter the one using the actual dashboard at the time.

If the searches are somehow tied to original search creator, then I suppose it would work, but I don't know a way to be sure.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

in dashboards you could use $env:user$ to refer current user.

r. Ismo

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...