Splunk Search
Highlighted

Get user's search history

Builder

Quick question: how can I view a user's search history?

Tags (2)
Highlighted

Re: Get user's search history

Builder

The solution for 5.x and later is to use the "history" command in search. Ie.

| history

See http://docs.splunk.com/Documentation/Splunk/5.0.5/SearchReference/History

Highlighted

Re: Get user's search history

Path Finder

It appears that "history" only returns search history for the current user. Is there a way in 5.x to get history for all users?

Highlighted

Re: Get user's search history

Path Finder

Also, "history" suffers from the same problem as the "Jobs" page: it doesn't contain the full history. Viewing a dashboard with an auto-refresh can quickly blow through all the history that is retained for "history".

0 Karma
Highlighted

Re: Get user's search history

Motivator

This thread came up in a search for something related. Figured I would share. Note having the double stats command in this context can get you in trouble if you have someone who has created a lot of searches. In general I like this method to display data in Splunk dashboards/views. Sucks when it is exported though. If nothing else everything up to the first pipe can be used. I'm wrapping the field and value components in quotes to make it a bit faster. The metadata search bit is from the default search page in 5x.

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user
Highlighted

Re: Get user's search history

Communicator

This is what I was looking for. Thanks! Well, I modified it a bit to dumb it down, but this works to just see who is running what:
index=_audit action=search earliest=@d user!="splunk-system-user" user!=admin | stats values(search) by user

0 Karma
Highlighted

Re: Get user's search history

Explorer

This works great, but i do notice that all the dashboard searches that fire when a user hits a certain dashboard also go into the list under their name. Is there something i could add to the query to remove the dashboard triggered searches, and return ONLY searches triggered manually by a user?

0 Karma
Highlighted

Re: Get user's search history

Explorer

Also, I'd like to be able to use the $click.value2$ to do a drilldown search, but it seems to be adding the single quotes before and after the search. Any ideas on how to remove those from the search query, either before displaying it, or on the drilldown?

0 Karma
Highlighted

Re: Get user's search history

Path Finder

There's probably a more elegant way, but this should work to remove the single quotes in your results, by appending to the end of your search:

| rex field=search mode=sed "s/^'//g"
| rex field=search mode=sed "s/'$//g"
Highlighted

Re: Get user's search history

Explorer

Yes, that worked! Thanks! I knew a rex of some sort would be the answer.. but hadn;t gotten it figured out yet.

Any idea on the first question? (filtering dashboard searches from "manual" search history)?

0 Karma