Splunk Search

How do I find out how many times an offensive search ran in the past day/week?

Ultra Champion

We have, what we believe to be an offensive search. How can we find out how many times it ran recently and by whom?

Tags (2)
0 Karma
1 Solution

Revered Legend

Is it a saved search or adhoc search?? If saved search, look at index=_internal sourcetypes=scheduler savedsearch_name=YourSearchName. For adhoc searches, check index=_audit.

View solution in original post

Revered Legend

Is it a saved search or adhoc search?? If saved search, look at index=_internal sourcetypes=scheduler savedsearch_name=YourSearchName. For adhoc searches, check index=_audit.

View solution in original post

Ultra Champion

Gorgeous !!!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!