- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
abhijit_mhatre
Path Finder
02-02-2018
07:24 AM
How can we check the number of searches ran by user?
We tried installing Search Activity app but a majority of the users are not having LDAP authentication. Hence the app is not getting configured.
Please let us know if there are any queries which will help in finding out the searches ran by user.
Thanks in Advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-02-2018
07:51 AM
Hi @abhijit_mhatre,
Try this:
index=_audit action=search info=granted search=*
NOT "search_id='scheduler"
NOT "search='|history"
NOT "user=splunk-system-user"
NOT "search='typeahead"
NOT "search='| metadata type=* | search totalCount>0"
| fields user, search, _time, search_id
| eval search_id = trim(replace(search_id, "\'", ""))
Have a look at https://answers.splunk.com/answers/369183/splunk-searches-run-by-user.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
02-02-2018
07:51 AM
Hi @abhijit_mhatre,
Try this:
index=_audit action=search info=granted search=*
NOT "search_id='scheduler"
NOT "search='|history"
NOT "user=splunk-system-user"
NOT "search='typeahead"
NOT "search='| metadata type=* | search totalCount>0"
| fields user, search, _time, search_id
| eval search_id = trim(replace(search_id, "\'", ""))
Have a look at https://answers.splunk.com/answers/369183/splunk-searches-run-by-user.html
