Is there a way to find out the scripts running by users on indexers because few backs when i ask a user , he told that he ran it on search head but actually that script is running on indexers . So, how to find out the scripts running on indexers that were created by users . i know splunk base apps will be running shell scripts but i want to ignore them.
@kteng2024 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
I assume you mean saved searches.
Try this to start with:
index=_internal source="*scheduler.log" savedsplunker | stats count BY user, savedsearch_name, host
Run it with a time range of maybe a week.