Solved: Is it possible to search and identify the top user...

paimonsoror · ‎10-11-2016

Wondering if there is a way to identify top user of each index. Basically I am tasked with going back and identifying the use cases for each index in our environment, and I feel that the best way of doing so is to contact the users who search the respective indexes the most.

Thanks!!

somesoni2 · ‎10-11-2016

You can search the _audit logs to see the user searches and try to figure out index details from there. Following query should give you top user for each index.

Updated

index=_audit action=search search=* user=*| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)" | stats count by indexname user | sort 0 indexname -count | dedup indexname

Now the problem with this query is it searches what users are running in Splunk, and often user don't specify index names (which they should to get best performance) in their searches. Above will not count for those searches. See if this can be useful for you with that limitation.

View solution in original post

somesoni2 · ‎10-11-2016

You can search the _audit logs to see the user searches and try to figure out index details from there. Following query should give you top user for each index.

Updated

index=_audit action=search search=* user=*| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)" | stats count by indexname user | sort 0 indexname -count | dedup indexname

Now the problem with this query is it searches what users are running in Splunk, and often user don't specify index names (which they should to get best performance) in their searches. Above will not count for those searches. See if this can be useful for you with that limitation.

paimonsoror · ‎10-11-2016

This is awesome, except it looks like it only return a one liner for me that only showed the index as _audit.

I got some results by running the slight changes here, not sure if it is what you intended, but it certainly gives me a starting point:

index=_audit action=search search=* user=*| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)" | stats count by indexname user | sort 0 indexname -count | dedup indexname

vcarbona · ‎04-30-2019

Wouldn't this only work if the user manually specified the index name in the search query? Users would have to specify it if the index were only allowed and not the default.

somesoni2 · ‎10-11-2016

I'm sluggish today 🙂
This is what I wanted to use (indexname - the extracted field). Updated the answer as well.

hunters_splunk · ‎10-11-2016

Hi paimonsoror,

Not sure if I understand your question correctly, but if you want to get detailed usage information about indexes, follow these steps:

From the Splunk Web menu, select Settings > Monitoring Console.
From the Monitoring Console menu, select Indexing > Indexes and Volumes > Indexes and Volumes: Instance.
You can view usage information of all your indexes and drill down to see details as needed.

Hope it helps. Thanks!
Hunter Shen

paimonsoror · ‎10-11-2016

Thanks for the response @hunters_splunk. Basically I am looking to answer the question:

"For Index XYZ, User ABC runs the most queries against it"

Is it possible to search and identify the top users of each index?

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...