Splunk Search

How to get the list of Adhoc Search and Saved search running by user in Audit logs.

harishsplunk7
Explorer

I need to get the  list of Adhoc Searches and Saved search running by user in Audit logs.

how to differentiate these searches in _audit logs, is there any specific keyword to identify the searches 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Searches are in the audit log.  Saved searches will have a non-empty value in the savedsearch_name field.  The user name is in the user field.

index=_audit action=search
| table user savedsearch_name search
---
If this reply helps you, Karma would be appreciated.
0 Karma

harishsplunk7
Explorer

This is not working at all, We will get all the searches running in splunk. because there is no keyword to identify whether search is savedsearch or Ad-hoc search or Reports. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As stated in my response, a saved search will have a non-empty value in the savedsearch_name field (keyword).  If savedsearch_name="" then the search is ad-hoc.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...