Splunk Search

Is there a search that a user can execute to view search history

Communicator

We have a users that would like to see their search history, however this user does not have admin rights and does not have access to the _audit index. Is there a search that they can execute that will only allow them to see their own search history.

Tags (1)

Splunk Employee
Splunk Employee

Considered granting privileges via access controls to allow this particular user to review only their search history with read access to the _audit index + a search filter.

Motivator

One approach would be to create a saved search that copies the records you are interested in from the _audit index to a summary index, and have the users query that.

That would introduce some lag, but it would be minor if you ran the copying search frequently enough.

0 Karma

Motivator

Apart from using the "My Search History" in the Search Assistant, to my knowledge a user without access to the _audit index cannot query directly for his or her search history.