Splunk Search

How to get a report on time range windows from _audit logs?

rleviseur01
New Member

I need to get a report of search windows used in historical search activity. For example, we need to determine how far back are users typically searching against (last 24 hours, last 7 days, more than 90 days ago, etc). I'm familiar with the DMC dashboards, which don't provide the search window of the searches it reports on, and familiar with the logs in the _audit index which might be my best bet.

Is there documentation explaining what the different time fields are in index=_audit action=search? Or is there another way to get a report of how often each search window/time frame is used over a given period?

0 Karma

Sfry1981
Communicator

you can use the splunk instance monitoring App for this and you can look at search usage statistics

this will give you user search statistics or you can amend very slightly and use the below:

(search_id!="rsa_*" action=search host=* index=_audit sourcetype=audittrail NOT user=cmon_user NOT user=internal_monitoring NOT user=ops_admin (host=sh*.*splunk*.* OR host=si*.*splunk*.*)) 
| eval user=if((user == "n/a"),null(),user), search_type=case(match(search_id,"^SummaryDirector_"),"summarization",match(savedsearch_name,"^_ACCELERATE_"),"acceleration",match(search_id,"^((rt_)?scheduler__|alertsmanager_)"),"scheduled",match(search_id,"\\d{10}\\.\\d+(_[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})?$"),"ad hoc",true(),"other"), search=if((isnull(savedsearch_name) OR (savedsearch_name == "")),search,savedsearch_name) 
| stats min(_time) as _time, values(user) as user, values(_time) as time, values(info) as info, max(total_run_time) as total_run_time, first(search) as search, first(search_type) as search_type, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id, host 
| search (host=* search="*" user="*") 
| where ((search_type == "ad hoc") AND isnotnull(search)) 
| eval earliest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiStartTime,"%ZERO_TIME%"),"-",true(),apiStartTime), latest=case((like(apiStartTime,"%ZERO_TIME%") AND like(apiEndTime,"%ZERO_TIME%")),"all time",like(apiEndTime,"%ZERO_TIME%"),"-",true(),apiEndTime), _time=strftime('_time',"%m/%d/%Y %H:%M:%S %z") 
| stats max(total_run_time) as total_run_time by search, _time, earliest, latest, search_type, user, host, search_id 
| where (total_run_time >= 0) 
| sort - total_run_time 
| fields + search, total_run_time, _time, earliest, latest, search_type, user 
| rename _time as "Search Start", earliest as "Earliest Time", latest as "Latest Time", search as "Report Name/Search String", search_type as Type, total_run_time as "Search Runtime", user as User
0 Karma

rleviseur01
New Member

So apiStartTime and apiEndTime are the beginning and end of the search window?

The searches from DMC don't provide the search windows which is what I need. If the two fields above are the search window constraints, then I can build a search off of those to calculate the time difference between them and report that window.

That's what I did yesterday, but thought I was doing something wrong since I was getting all sorts of odd search windows that don't align to the presets. Things like X minutes and random # of seconds. Rounding these to whole numbers I see a lot of things like 61 minutes or 91 days or 0 minutes. Seemed very odd and had me thinking these fields weren't the right fields for the search window.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...