Splunk Search

Is there a search that a user can execute to view search history

kbecker
Communicator

We have a users that would like to see their search history, however this user does not have admin rights and does not have access to the _audit index. Is there a search that they can execute that will only allow them to see their own search history.

Tags (1)

hulahoop
Splunk Employee
Splunk Employee

Considered granting privileges via access controls to allow this particular user to review only their search history with read access to the _audit index + a search filter.

southeringtonp
Motivator

One approach would be to create a saved search that copies the records you are interested in from the _audit index to a summary index, and have the users query that.

That would introduce some lag, but it would be minor if you ran the copying search frequently enough.

0 Karma

ftk
Motivator

Apart from using the "My Search History" in the Search Assistant, to my knowledge a user without access to the _audit index cannot query directly for his or her search history.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...