Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to backup the search queries of a user/admin in splunk ?

ppilla
Engager
‎05-19-2019 10:46 PM

How to backup the search queries of a user/admin in splunk ?
How to backup all the search queries of a user or admin in splunk enterprise.

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎05-20-2019 05:31 AM

Hi @ppilla,

It's very important to keep a backup of all the searches you use. There's an official documentation on how to backup Splunk knowledge objects that you can find here :
https://docs.splunk.com/Documentation/CoE/ssf/Handbook/ConfigBackup
https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Backupconfigurations

Also if you want to go through all the searches that have been executed on Splunk then you can have a look at the _audit index.

Cheers,
David

0 Karma
Reply

koshyk
Super Champion
‎05-20-2019 05:14 AM

Splunk stores all the auditTrail (searches/savedsearches etc.). It is stored under index=_audit

A simple search would be

(index=_audit search_group=* action=search sourcetype=audittrail search_id!="rsa_*")
| fillnull value=NA search 
| stats count by user,search

But you can extend it to any fields

So if you need to backup, you can
1. backup the whole _audit index
2. Run a specific query on regular basis and do an outputlookup to a CSV file and back this up.

0 Karma
Reply

adonio
Ultra Champion
‎05-20-2019 04:59 AM

you have the queries saved for a certain amount of time
you can click on Expand your search history
another option will be to run the history command and collect to a summary index on a regular basis
see links:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Interactivesearchhistory
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/History

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...