Hi guys,
hope you can help me.
I want to have a statistic of my users. The most of the users access the search&reporting app and not a specific app. So, I want to have a report about the sourcetypes they are looking for. Example:
user XY searched sourcetype ZZ 4 times per day
thanks for your help.
Cheers, Lisi
this gives the Sourcetypes and indexes and usernames.
index=_audit action=search search=* sourcetype=audittrail search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed
Unfortunately reporting on implicit sourcetypes or indexes is not possible, unless there is new auditing added in 6.5. The answer given by inventsekar is as close as you will come.
this gives the Sourcetypes and indexes and usernames.
index=_audit action=search search=* sourcetype=audittrail search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed
Hi,
thanks for your answer.
But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype. Maybe it is possible to search by the roles? because then I can identify between the different accessrights and therefore which sources where searched how often.
to search for the field "role" it's not possible. do you know the field for "Roles"?
thanks
"role" is not available.
---- But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype ----
are you looking for users who search without explicit sourcetype?