Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a report on a user, their ad-hoc and scheduled searches, and the IP that is running them?

a212830
Champion
‎03-10-2015 10:52 AM

Hi,

Is there a way to run a report that shows a specific user, their ad-hoc and scheduled searches, and the ip that is running them?

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎03-10-2015 11:35 AM

This can get you started (minus the IP thing)

index=_audit host=CCFS-SH2 action=search user!=splunk-system-user search_id=* (info=granted OR info=completed) |rex field=apiStartTime "'(?<start_time>[^']+)'" |rex field=apiEndTime "'(?<end_time>[^']+)'" | eval search_id = trim(if(isnull(search_id), id, search_id), "'") | eval run_time_min=round(total_run_time/60,2) |eval range=if(start_time=="ZERO_TIME","All Time", tostring(strptime(end_time, "%a %b %d %H:%M:%S %Y") - strptime(start_time, "%a %b %d %H:%M:%S %Y"),"duration"))
0 Karma
Reply

a212830
Champion
‎03-10-2015 12:11 PM

The ip is key - trying to find out where some of these searches are coming from...

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...