Re: Finding searches for a user

rmorlen · ‎03-05-2013

Pre-Splunk 5 I could find a list of searches for a user by doing something like:

index=_internal sourcetype=searches username

What is the Splunk 5 equivalent?

How about getting a count of all searches run for a day?

yannK · ‎03-05-2013

take a look in look in index=_audit

[edit]
it's not as simple 🙂

you may want to take a look at the SOS app, it has nice dashboards on the search usage (for ad-hoc searches and scheduled searches)

# ad-hoc searches look in the _audit

index=_audit action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | rex "search='(?<search>.*?)', autojoin" | search search_id!=scheduler_* | convert num(total_run_time) | eval user = if(user="n/a", null(), user) | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id | search search=search* search!=*_internal* search!=*_audit* | chart median(total_run_time) as "Median search time" perc95(total_run_time) as "95th Percentile search time" sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user | fieldformat "Last use" = strftime('Last use', "%F %T.%Q %:z")

# scheduled searches you can look in the _internal index

index=_internal source=*scheduler.log* | stats min(run_time) as "Min runtime (seconds)", median(run_time) as median_runtime, max(run_time) as max_runtime, count(eval(status!="continued")) AS total_exec, count(eval(status=="success")) as "Successful executions", count(eval(status=="skipped")) AS "Skipped executions" by app, savedsearch_name, user

rsathish47 · ‎04-01-2016

Thank you for this

rmorlen · ‎03-06-2013

Tried index=_* AND index=* sourcetype=searches over 24 hours . 0 results.

Finding searches for a user

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life