Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract Searches Performed

IRHM73
Motivator
‎03-14-2016 08:00 AM

Hi, I wonder whether someone may be able to help me please.

I was using the query below to return details of all the searches performed which was great because I could extract the user, run time of the search and 'earliest' and 'latest' dates used in the query.

|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")  
|search title!=""

The problem is, is that this doesn't give me the details for all the searches run.

So I started using the following:

index=_audit action="search" search=* 
| search NOT (user="splunk-system-user" OR user="monitoring")

But the problem with this is that I can't retrieve all the 'earliest' and 'latest' dates, and so far I've been unable to find the run time audit event for the query.

Could someone tell me please is there a query which returns all of the searches within a given time period which also provides the dates and run times I need.

Many thanks and Kind Regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-14-2016 08:23 AM

Use the following query

index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring"

This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-14-2016 08:23 AM

Use the following query

index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring"

This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)

Reply
Solved! Jump to solution

IRHM73
Motivator
‎03-14-2016 08:53 AM

Hi @somesoni2, that's great thank you very much, this is exactly what I was after.

Kind Regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...