hello
index=_audit user=admin action=search info=granted search=* | table search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search
I extracted the following result with this command.
search_id search
[ID1] [SPL1]
[ID2] [SPL2]
[ID3] [SPL3]
I want to extract count of search field by re-search.
search_id search count
[ID1] [SPL1] [SPL1-count]
[ID2] [SPL2] [SPL2-count]
[ID3] [SPL3] [SPL3-count]
I'd appreciate it if you could help me.
Hi @syloee,
is it mandatory for you to have the ID_Search?
because every search has a different id so the count will always be 1.
if you want to know how many times a search was executed you could use:
index=_audit user=admin action=search info=granted search=*
| stats count BY search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search
| sort -count
Ciao.
Giuseppe
Hi @syloee,
let me understand: do you want to know the count of searches?
if this is your need, you could use stats instead table:
index=_audit user=admin action=search info=granted search=*
| stats count BY search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search
Ciao.
Giuseppe
EX>
search_id search count
[ID1] index=_internal sourcetype=splunkd 10 ( count of index=_internal sourcetype=splunkd)
[ID2] index=_internal sourcetype=splunk* 100( count of index=_internal sourcetype=splunk*)
NOT _audit log result_count, by re-search
I'd appreciate it if you could help me.