Splunk Search

How to get a report on time range windows from _audit logs?

New Member

I need to get a report of search windows used in historical search activity. For example, we need to determine how far back are users typically searching against (last 24 hours, last 7 days, more than 90 days ago, etc). I'm familiar with the DMC dashboards, which don't provide the search window of the searches it reports on, and familiar with the logs in the _audit index which might be my best bet.

Is there documentation explaining what the different time fields are in index=_audit action=search? Or is there another way to get a report of how often each search window/time frame is used over a given period?

0 Karma


you can use the splunk instance monitoring App for this and you can look at search usage statistics

this will give you user search statistics or you can amend very slightly and use the below:

(search_id!="rsa_*" action=search host=* index=_audit sourcetype=audittrail NOT user=cmon_user NOT user=internal_monitoring NOT user=ops_admin (host=sh*.*splunk*.* OR host=si*.*splunk*.*)) 
| eval user=if((user == "n/a"),null(),user), search_type=case(match(search_id,"^SummaryDirector_"),"summarization",match(savedsearch_name,"^_ACCELERATE_"),"acceleration",match(search_id,"^((rt_)?scheduler__|alertsmanager_)"),"scheduled",match(search_id,"\\d{10}\\.\\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other"), search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name) 
| stats min(_time) as _time, values(user) as user, values(_time) as time, values(info) as info, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host 
| search (host=* search="*" user="*") 
| where ((search_type == "ad hoc") AND isnotnull(search)) 
| eval earliest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiStartTime,"%ZERO_TIME%"),"-",true(),apiStartTime), latest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiEndTime,"%ZERO_TIME%"),"-",true(),apiEndTime), _time=strftime('_time',"%m/%d/%Y %H:%M:%S %z") 
| stats max(total_run_time) as total_run_time by search, _time, earliest, latest, search_type, user, host, search_id 
| where (total_run_time >= 0) 
| sort - total_run_time 
| fields + search, total_run_time, _time, earliest, latest, search_type, user 
| rename _time as "Search Start", earliest as "Earliest Time", latest as "Latest Time", search as "Report Name/Search String", search_type as Type, total_run_time as "Search Runtime", user as User
0 Karma

New Member

So apiStartTime and apiEndTime are the beginning and end of the search window?

The searches from DMC don't provide the search windows which is what I need. If the two fields above are the search window constraints, then I can build a search off of those to calculate the time difference between them and report that window.

That's what I did yesterday, but thought I was doing something wrong since I was getting all sorts of odd search windows that don't align to the presets. Things like X minutes and random # of seconds. Rounding these to whole numbers I see a lot of things like 61 minutes or 91 days or 0 minutes. Seemed very odd and had me thinking these fields weren't the right fields for the search window.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...