Splunk Search

How to get the list of Adhoc Search and Saved search running by user in Audit logs.

harishsplunk7
Explorer

I need to get the  list of Adhoc Searches and Saved search running by user in Audit logs.

how to differentiate these searches in _audit logs, is there any specific keyword to identify the searches 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Searches are in the audit log.  Saved searches will have a non-empty value in the savedsearch_name field.  The user name is in the user field.

index=_audit action=search
| table user savedsearch_name search
---
If this reply helps you, Karma would be appreciated.
0 Karma

harishsplunk7
Explorer

This is not working at all, We will get all the searches running in splunk. because there is no keyword to identify whether search is savedsearch or Ad-hoc search or Reports. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As stated in my response, a saved search will have a non-empty value in the savedsearch_name field (keyword).  If savedsearch_name="" then the search is ad-hoc.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...