Splunk Search

How can we detect the heaviest search users during peak usage time?

ddrillic
Ultra Champion

Our indexers were under heavy load today and some crushed. Most likely it’s due to extensive search activity. Is there a way to get a total usage report of the search activity by the users during peak usage time?

Tags (2)
0 Karma
1 Solution

mayurr98
Super Champion

hey

There are multiple ways to track user's search activity:

1) have a look at this search activity app on splunkbase:
https://splunkbase.splunk.com/app/2632/

2) The Splunk on Splunk app has some User Activity views.

Furthermore you can search the "_audit" index :

index=_audit | table _time user action info

The "_internal" index also has some sources on which to do username analytics ie:searches.log

3) Also, you can track user's search activity in the monitoring console:

go to monitoring console > search > search activity:instance > search activity > split by:user

open in search and then you can customize the query according to your need.
Refer this doc for more:
http://docs.splunk.com/Documentation/Splunk/7.0.1/DMC/SearchactivityDeploymentwide

let me know if this helps!

View solution in original post

masonmorales
Influencer

This app contains a dashboard for search head utilization by user with cumulative run time https://splunkbase.splunk.com/app/2678/

Splunk actually copied some of the ideas from it and incorporated them into the Splunk 7 DMC. So, if you are on the latest version of Splunk, you could use DMC for this as well.,This app contains a dashboard for search head utilisation by user with cumulative run time: https://splunkbase.splunk.com/app/2678/

Splunk actually copied some of the ideas from it and included them in the Splunk 7 DMC. So, if you have DMC setup you could use that as well.

gjanders
SplunkTrust
SplunkTrust

I wrote a few dashboards for this in Alerts for Splunk Admins you could look at utilising some of the queries or you could just get an idea of what to query..., the dashboard is called "Troubleshooting Indexer CPU"

Good luck!

ddrillic
Ultra Champion

Wow - interesting.

0 Karma

mayurr98
Super Champion

hey

There are multiple ways to track user's search activity:

1) have a look at this search activity app on splunkbase:
https://splunkbase.splunk.com/app/2632/

2) The Splunk on Splunk app has some User Activity views.

Furthermore you can search the "_audit" index :

index=_audit | table _time user action info

The "_internal" index also has some sources on which to do username analytics ie:searches.log

3) Also, you can track user's search activity in the monitoring console:

go to monitoring console > search > search activity:instance > search activity > split by:user

open in search and then you can customize the query according to your need.
Refer this doc for more:
http://docs.splunk.com/Documentation/Splunk/7.0.1/DMC/SearchactivityDeploymentwide

let me know if this helps!

ddrillic
Ultra Champion

Per #3 -

It's a gorgeous view.

Is there a way to get this view across the cluster and not for one instance?

0 Karma

mayurr98
Super Champion

If there is a filter which you can allow to see this kind of functionality then look for it. Otherwise you would need to take a search...customize the main search to look for all the instances. I think there a filter to search for all the groups at the top..just play with the dashboard, you should get the desired results !

Thanks.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...