When searching in Splunk, it is possible to hit the share button and share the job id and the results of the job with others via the link to the search rather than copy and pasting the url itself to another person and having splunk search the entire job again.
The issue is, if I am an admin, and I am searching on an index only available to admins, I can share the job with a user that does not have admin roles and they can view the job as it runs and completes and it is available for 7 days after the fact. In index=_audit, it seems like there is no record of the sharing of the search; it just shows that someone has viewed a job that someone else has initiated. Is there a way of showing the content of the searches that were shared like I described above and the users that viewed each of the shared searches for audit purposes?
Example for clarity:
I'm admin. Sam and Nick are power users. I have access to the index called Potato. Neither Sam nor Nick have access to the index. I can share the search "index=Potato | head" to Sam using the share button and he can see the results. If Sam, without my knowledge, shares the link with Nick, there is a potential issue if I want to see who has seen the information in index=Potato. Is there a way to see that furby559 searched for "index=Potato | head" and Sam AND Nick viewed that search?
I've tried to be as clear as possible, but if something is not clear, I will reply to your comment to clarify.
... View more