Splunk Search

Find user saved searches

sanju005ind
Communicator

Given a splunk username how do i search for the following.

The roles that the user has - The last 15 searches performed - Any saved searches

Tags (1)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

sanju005ind
Communicator

Sorry Saved searches created.

0 Karma

sanju005ind
Communicator

Checking the index=_audit gives the recently used. However what about those searches that are never executed.Need a list of all the searches the user has created.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...