Splunk Search

Report all real-time searches from the internal audit index

landen99
Motivator

Enable alerts and reports on real-time searches seen in the internal audit index.

Labels (1)
0 Karma

landen99
Motivator

The following search presents the real-time searches from the audit index:

index=_audit action=search info=granted search=* NOT ("search_id='scheduler" OR "search='|history" OR "user=splunk-system-user" OR "search='typeahead" OR "search='| metadata type=* | search totalCount>0" OR "| metadata type=sourcetypes | search totalCount > 0" ) "search_id='rt_*"
| table _time user host info savedsearch_name search search_id
0 Karma

gjanders
SplunkTrust
SplunkTrust

Nice. In alerts for splunk admins https://splunkbase.splunk.com/app/3796/

I have a few searches to look for bad practices or all time searches in dashboards or similar...FYI

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...