Splunk Search

_audit - see users behavior - users searches by sourcetypes

egreibl
Engager

Hi guys,
hope you can help me.
I want to have a statistic of my users. The most of the users access the search&reporting app and not a specific app. So, I want to have a report about the sourcetypes they are looking for. Example:
user XY searched sourcetype ZZ 4 times per day

thanks for your help.
Cheers, Lisi

0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

this gives the Sourcetypes and indexes and usernames.

index=_audit action=search search=* sourcetype=audittrail  search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"  | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed

View solution in original post

0 Karma

David
Splunk Employee
Splunk Employee

Unfortunately reporting on implicit sourcetypes or indexes is not possible, unless there is new auditing added in 6.5. The answer given by inventsekar is as close as you will come.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

this gives the Sourcetypes and indexes and usernames.

index=_audit action=search search=* sourcetype=audittrail  search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"  | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | table _time user search SourcetypeUsed IndexUsed
0 Karma

egreibl
Engager

Hi,

thanks for your answer.
But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype. Maybe it is possible to search by the roles? because then I can identify between the different accessrights and therefore which sources where searched how often.

to search for the field "role" it's not possible. do you know the field for "Roles"?
thanks

0 Karma

inventsekar
SplunkTrust
SplunkTrust

"role" is not available.
---- But what I am looking also for users who only search e.g. "ip X.X.X." so, they do not enter explicit the sourcetype ----
are you looking for users who search without explicit sourcetype?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...