Splunk Search
Highlighted

How to search user search history by keyword

Path Finder

Hi there,

Is there any way to find out who are the users queried for a particular word in Splunk? For example, i would like to find out all the users who queried for a word called "apple" or whose queries contain a word "apple" .

Thank you

0 Karma
Highlighted

Re: How to search user search history by keyword

SplunkTrust
SplunkTrust

Yes, it is in the internal audit index.

index=_audit action=search search=*apple* | table _time,user,search

0 Karma
Highlighted

Re: How to search user search history by keyword

Path Finder

Thank you for the reply.. but for some the searches i don't see the userID .

0 Karma
Highlighted

Re: How to search user search history by keyword

SplunkTrust
SplunkTrust

There should be a field called user, is it showing up as a blank column?

0 Karma
Highlighted

Re: How to search user search history by keyword

Legend

If you are able to see the _audit index (usually that means that you have admin priviledges), you can search the content of user searches.

Something like

index=_audit sourcetype=audittrail action=search user!="splunk-system-user" "search=" YOURWORDHERE

should work.

Just be aware that the search you just ran will also show up in the list! 😄

0 Karma