I need to find which user ran a specific dbquery such as 'select * from table1'. Can someone tell me how to search splunk for this?
Thanks,
j
This works for me to find queries on any database in the instance. I'm sysadmin on the instance (check your priviledges):
SELECT deqs.last_execution_time AS [Time], dest.text AS [Query], dest.*
FROM sys.dm_exec_query_stats AS deqs
CROSS APPLY sys.dm_exec_sql_text(deqs.sql_handle) AS dest
WHERE dest.dbid = DB_ID('msdb')
ORDER BY deqs.last_execution_time DESC
This is the same answer that Aaron Bertrand provided but it wasn't placed in an answer.
Splunk keeps all issued searches in its _audit index, so you can look there. Something like this:
index=_audit action=search info=granted search="*select * from table1*"