Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_audit - see users behavior - users searches by sourcetypes

egreibl
Engager
‎10-17-2016 12:21 AM

Hi guys,
hope you can help me.
I want to have a statistic of my users. The most of the users access the search&reporting app and not a specific app. So, I want to have a report about the sourcetypes they are looking for. Example:
user XY searched sourcetype ZZ 4 times per day

thanks for your help.
Cheers, Lisi

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2016 01:45 AM

this gives the Sourcetypes and indexes and usernames.

index=_audit action=search search=* sourcetype=audittrail  search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"  | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed

View solution in original post

0 Karma
Reply
Solved! Jump to solution

David
Splunk Employee
Splunk Employee
‎10-17-2016 03:04 AM

Unfortunately reporting on implicit sourcetypes or indexes is not possible, unless there is new auditing added in 6.5. The answer given by inventsekar is as close as you will come.

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2016 01:45 AM

this gives the Sourcetypes and indexes and usernames.

index=_audit action=search search=* sourcetype=audittrail  search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"  | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed
0 Karma
Reply
Solved! Jump to solution

egreibl
Engager
‎10-17-2016 01:56 AM

Hi,

thanks for your answer.
But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype. Maybe it is possible to search by the roles? because then I can identify between the different accessrights and therefore which sources where searched how often.

to search for the field "role" it's not possible. do you know the field for "Roles"?
thanks

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2016 02:27 AM

"role" is not available.
---- But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype ----
are you looking for users who search without explicit sourcetype?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...