search help

roopeshetty · ‎05-05-2021

Hi Guys,

We can see there are 6 hosts which are sending bulk events (logs) to splunk. But we don’t know who is using these host events in spunk. Is there any way we can identify the searches, reports, alerts or dashboards where these hosts events are being used. The purpose is if no where these logs are being used then we can stop the forwarders from those hosts.

sravankaripe · ‎05-05-2021

please try this

index=_* sourcetype=audittrail action=search host=host1 OR host=host2 OR host=host3 OR host=host4 OR host=host5 OR host=host6 | stats count BY user host | sort 0 - count | stats list(*) AS * BY user

aasabatini · ‎05-05-2021

Hi @roopeshetty

can you explain better your use-case?

you received logs from 6 hosts, right?

can you indentify the hosts with the hosts field?

for each host is configured a uf?

Thanks

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

search help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

search help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...