Splunk Search

Is it possible to search and identify the top users of each index?

Builder

Wondering if there is a way to identify top user of each index. Basically I am tasked with going back and identifying the use cases for each index in our environment, and I feel that the best way of doing so is to contact the users who search the respective indexes the most.

Thanks!!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can search the _audit logs to see the user searches and try to figure out index details from there. Following query should give you top user for each index.

Updated

index=_audit action=search search=* user=*| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)" | stats count by indexname user | sort 0 indexname -count | dedup indexname

Now the problem with this query is it searches what users are running in Splunk, and often user don't specify index names (which they should to get best performance) in their searches. Above will not count for those searches. See if this can be useful for you with that limitation.

View solution in original post

SplunkTrust
SplunkTrust

You can search the _audit logs to see the user searches and try to figure out index details from there. Following query should give you top user for each index.

Updated

index=_audit action=search search=* user=*| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)" | stats count by indexname user | sort 0 indexname -count | dedup indexname

Now the problem with this query is it searches what users are running in Splunk, and often user don't specify index names (which they should to get best performance) in their searches. Above will not count for those searches. See if this can be useful for you with that limitation.

View solution in original post

Builder

This is awesome, except it looks like it only return a one liner for me that only showed the index as _audit.

I got some results by running the slight changes here, not sure if it is what you intended, but it certainly gives me a starting point:

index=_audit action=search search=* user=*| rex field=search "index\s*=\s*\"*(?<indexname>[^\s\"]+)" | stats count by indexname user | sort 0 indexname -count | dedup indexname
0 Karma

Path Finder

Wouldn't this only work if the user manually specified the index name in the search query? Users would have to specify it if the index were only allowed and not the default.

0 Karma

SplunkTrust
SplunkTrust

I'm sluggish today 🙂
This is what I wanted to use (indexname - the extracted field). Updated the answer as well.

0 Karma

Splunk Employee
Splunk Employee

Hi paimonsoror,

Not sure if I understand your question correctly, but if you want to get detailed usage information about indexes, follow these steps:

  1. From the Splunk Web menu, select Settings > Monitoring Console.
  2. From the Monitoring Console menu, select Indexing > Indexes and Volumes > Indexes and Volumes: Instance.
  3. You can view usage information of all your indexes and drill down to see details as needed.

Hope it helps. Thanks!
Hunter Shen

0 Karma

Builder

Thanks for the response @hunters_splunk. Basically I am looking to answer the question:

"For Index XYZ, User ABC runs the most queries against it"

0 Karma