Splunk Search

Get user's search history

Branden
Builder

Quick question: how can I view a user's search history?

Tags (2)

bohanlon_splunk
Splunk Employee
Splunk Employee

This post has a better solution:
https://answers.splunk.com/answers/151378/why-history-command-only-shows-my-searches-not-searches-ru...

Query:
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user

OR
|history

Runals
Motivator

Which is a search originally posted in this thread 😃

David
Splunk Employee
Splunk Employee

Converting this answer to a comment, since it doesn't work as of Splunk 5.x, so that other correct answers will show up first.

You can do a search for:

index=_internal sourcetype=searches username
0 Karma

David
Splunk Employee
Splunk Employee

My pleasure! .

0 Karma

jtrucks
Splunk Employee
Splunk Employee

This no longer works with 5.x.

--
Jesse Trucks
Minister of Magic

alanden_splunk
Splunk Employee
Splunk Employee

This solution doesn't work

0 Karma

bohanlon_splunk
Splunk Employee
Splunk Employee

I downvoted this post because doesn't work in 6.5.x either.

0 Karma

David
Splunk Employee
Splunk Employee

Good call everyone! You should use index=_internal action=search search=* now. Or download the Search Activity app 🙂 https://splunkbase.splunk.com/app/2632/

0 Karma

Branden
Builder

Thank you very much!

0 Karma

mparks11
Path Finder

Thanks for the input here. I found some odd results based on what a user says they were searching and what is reported out of the _audit index. Anyway, here's another method I found that may or may not be applicable, but it seemed to at least yield some results.

index=_internal user=* sourcetype=splunkd_ui_access | dedup q | table _time, q | eval q=urldecode(q)

Hope it might also help.

horsefez
SplunkTrust
SplunkTrust

Thank you for the update!

0 Karma

Runals
Motivator

This thread came up in a search for something related. Figured I would share. Note having the double stats command in this context can get you in trouble if you have someone who has created a lot of searches. In general I like this method to display data in Splunk dashboards/views. Sucks when it is exported though. If nothing else everything up to the first pipe can be used. I'm wrapping the field and value components in quotes to make it a bit faster. The metadata search bit is from the default search page in 5x.

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user

proletariat99
Communicator

This is what I was looking for. Thanks! Well, I modified it a bit to dumb it down, but this works to just see who is running what:
index=_audit action=search earliest=@d user!="splunk-system-user" user!=admin | stats values(search) by user

0 Karma

dmcgeearke
Explorer

This works great, but i do notice that all the dashboard searches that fire when a user hits a certain dashboard also go into the list under their name. Is there something i could add to the query to remove the dashboard triggered searches, and return ONLY searches triggered manually by a user?

0 Karma

DarkTechPrince
Loves-to-Learn Lots

Looking at the "provenance" field in the search i found that only fields containing the value "UI:Search" were related to actual search queries. The rest like dashboard searches that fire off automatically appear under other field values.

 

Hope that helps

0 Karma

dmcgeearke
Explorer

Also, I'd like to be able to use the $click.value2$ to do a drilldown search, but it seems to be adding the single quotes before and after the search. Any ideas on how to remove those from the search query, either before displaying it, or on the drilldown?

0 Karma

mparks11
Path Finder

There's probably a more elegant way, but this should work to remove the single quotes in your results, by appending to the end of your search:

| rex field=search mode=sed "s/^'//g"
| rex field=search mode=sed "s/'$//g"

dmcgeearke
Explorer

Yes, that worked! Thanks! I knew a rex of some sort would be the answer.. but hadn;t gotten it figured out yet.

Any idea on the first question? (filtering dashboard searches from "manual" search history)?

0 Karma

mparks11
Path Finder

Sorry, i don't! Maybe something in the search_id field might be an indication?

dmcgeearke
Explorer

I used your suggestion, looked at search_id field. It appeared that any "dashboard" searches started with _ , while manual searches started with a number.

I added NOT "search_id='_*" to the query and it seemed to clean up the history a lot.

So the complete search is:

 index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "search_id='_*" NOT "user=splunk-system-user" NOT internal_monitoring NOT "search='typeahead" NOT "admin" NOT "search='| metadata type=* | search totalCount>0" |sort - _time |  stats values(search) as Search by user 
    | rex field=Search mode=sed "s/^'//g"
     | rex field=Search mode=sed "s/'$//g"

then the drilldown search is simply $click.value2$

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...