Solved: Re: Extract Searches Performed

IRHM73 · ‎03-14-2016

Hi, I wonder whether someone may be able to help me please.

I was using the query below to return details of all the searches performed which was great because I could extract the user, run time of the search and 'earliest' and 'latest' dates used in the query.

|rest /services/search/jobs   
|search NOT (author="splunk-system-user" OR author="monitoring")  
|search title!=""

The problem is, is that this doesn't give me the details for all the searches run.

So I started using the following:

index=_audit action="search" search=* 
| search NOT (user="splunk-system-user" OR user="monitoring")

But the problem with this is that I can't retrieve all the 'earliest' and 'latest' dates, and so far I've been unable to find the run time audit event for the query.

Could someone tell me please is there a query which returns all of the searches within a given time period which also provides the dates and run times I need.

Many thanks and Kind Regards

Chris

somesoni2 · ‎03-14-2016

Use the following query

index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring"

This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)

View solution in original post

somesoni2 · ‎03-14-2016

Use the following query

index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring"

This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)

IRHM73 · ‎03-14-2016

Hi @somesoni2, that's great thank you very much, this is exactly what I was after.

Kind Regards

Chris

Extract Searches Performed

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life