Splunk Search

Find user saved searches

sanju005ind
Communicator

Given a splunk username how do i search for the following.

The roles that the user has - The last 15 searches performed - Any saved searches

Tags (1)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

sanju005ind
Communicator

Sorry Saved searches created.

0 Karma

sanju005ind
Communicator

Checking the index=_audit gives the recently used. However what about those searches that are never executed.Need a list of all the searches the user has created.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...