Splunk Search

Extract Searches Performed

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I was using the query below to return details of all the searches performed which was great because I could extract the user, run time of the search and 'earliest' and 'latest' dates used in the query.

|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")  
|search title!=""

The problem is, is that this doesn't give me the details for all the searches run.

So I started using the following:

index=_audit action="search" search=* 
| search NOT (user="splunk-system-user" OR user="monitoring") 

But the problem with this is that I can't retrieve all the 'earliest' and 'latest' dates, and so far I've been unable to find the run time audit event for the query.

Could someone tell me please is there a query which returns all of the searches within a given time period which also provides the dates and run times I need.

Many thanks and Kind Regards

Chris

0 Karma
1 Solution

somesoni2
Revered Legend

Use the following query

index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring" 

This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)

View solution in original post

somesoni2
Revered Legend

Use the following query

index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring" 

This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)

IRHM73
Motivator

Hi @somesoni2, that's great thank you very much, this is exactly what I was after.

Kind Regards

Chris

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...