Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Search Query

mailmetoramu
Explorer
‎11-04-2020 03:51 AM

Looking for an search query to monitor some bunch of users on all indexes activity. Tried the below one but couldn't get my actual requirement , let me know some more efficient queries to get this.

index=* user= apptusr user=oracleapp user=oracledb user=oracleftp |stats count by src dest user name action index

Labels (1)
Labels
0 Karma
Reply

mailmetoramu
Explorer
‎11-04-2020 06:35 AM

Thanks for the reply, i got ur baseline.  The query which i have mentioned is already working but i need some suggestions how to tweak the query.  Again pasting my query below, please give me an query which would cover my requirement.

index=* user= apptusr user=oracleapp user=oracledb user=oracleftp |stats count by src dest user name action 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2020 06:02 AM

I take it you want to know if certain users run queries containing "index=*".  if that is incorrect then please clarify the question.

The given query looks in all indexes for events where the 'user' field contains all four values simultaneously.  That can never happen.  Even if it could, it wouldn't satisfy the requirement because it's looking in index=* rather than for index=*.

The Splunk Admins app has a search that be useful for this.  Check out "SearchHeadLevel - Scheduled searches not specifying an index".

Another approach is to search the _internal index for "index=*" and the user names of interest.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...