I need to get a report of search windows used in historical search activity. For example, we need to determine how far back are users typically searching against (last 24 hours, last 7 days, more than 90 days ago, etc). I'm familiar with the DMC dashboards, which don't provide the search window of the searches it reports on, and familiar with the logs in the _audit index
which might be my best bet.
Is there documentation explaining what the different time fields are in index=_audit action=search
? Or is there another way to get a report of how often each search window/time frame is used over a given period?
you can use the splunk instance monitoring App for this and you can look at search usage statistics
this will give you user search statistics or you can amend very slightly and use the below:
(search_id!="rsa_*" action=search host=* index=_audit sourcetype=audittrail NOT user=cmon_user NOT user=internal_monitoring NOT user=ops_admin (host=sh*.*splunk*.* OR host=si*.*splunk*.*))
| eval user=if((user == "n/a"),null(),user), search_type=case(match(search_id,"^SummaryDirector_"),"summarization",match(savedsearch_name,"^_ACCELERATE_"),"acceleration",match(search_id,"^((rt_)?scheduler__|alertsmanager_)"),"scheduled",match(search_id,"\\d{10}\\.\\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other"), search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name)
| stats min(_time) as _time, values(user) as user, values(_time) as time, values(info) as info, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host
| search (host=* search="*" user="*")
| where ((search_type == "ad hoc") AND isnotnull(search))
| eval earliest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiStartTime,"%ZERO_TIME%"),"-",true(),apiStartTime), latest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiEndTime,"%ZERO_TIME%"),"-",true(),apiEndTime), _time=strftime('_time',"%m/%d/%Y %H:%M:%S %z")
| stats max(total_run_time) as total_run_time by search, _time, earliest, latest, search_type, user, host, search_id
| where (total_run_time >= 0)
| sort - total_run_time
| fields + search, total_run_time, _time, earliest, latest, search_type, user
| rename _time as "Search Start", earliest as "Earliest Time", latest as "Latest Time", search as "Report Name/Search String", search_type as Type, total_run_time as "Search Runtime", user as User
So apiStartTime
and apiEndTime
are the beginning and end of the search window?
The searches from DMC don't provide the search windows which is what I need. If the two fields above are the search window constraints, then I can build a search off of those to calculate the time difference between them and report that window.
That's what I did yesterday, but thought I was doing something wrong since I was getting all sorts of odd search windows that don't align to the presets. Things like X minutes and random # of seconds. Rounding these to whole numbers I see a lot of things like 61 minutes or 91 days or 0 minutes. Seemed very odd and had me thinking these fields weren't the right fields for the search window.