Splunk Search

How to create a report on a user, their ad-hoc and scheduled searches, and the IP that is running them?

a212830
Champion

Hi,

Is there a way to run a report that shows a specific user, their ad-hoc and scheduled searches, and the ip that is running them?

Tags (3)
0 Karma

somesoni2
Revered Legend

This can get you started (minus the IP thing)

index=_audit host=CCFS-SH2 action=search user!=splunk-system-user search_id=* (info=granted OR info=completed) |rex field=apiStartTime "'(?<start_time>[^']+)'" |rex field=apiEndTime "'(?<end_time>[^']+)'" | eval search_id = trim(if(isnull(search_id), id, search_id), "'") | eval run_time_min=round(total_run_time/60,2) |eval range=if(start_time=="ZERO_TIME","All Time", tostring(strptime(end_time, "%a %b %d %H:%M:%S %Y") - strptime(start_time, "%a %b %d %H:%M:%S %Y"),"duration"))
0 Karma

a212830
Champion

The ip is key - trying to find out where some of these searches are coming from...

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...