Thank you for sharing your inputs. ... View more

You mentioned in your description that you want to use dedup on user field. If you check the data given, the first and second row have different field values for user: - abc, abc1. In your actual dataset, are two values different or are they same? ... View more

Hi @kashtech, Your dataset's field values and the expected output field values are not seeming to be in sync. For example: -  Dataset that you shared: - name='name1', user='abc', type='type1', other-fields     : latest event name='name1', user='abc1', type='type1', other-fields  : past event name='name2', user='def', type='type2', other-fields      Here, the two distinct values for field "type" are: - type1 and type2.   However, in your expected result, the value of field "type" is new. name='xyz', user='abc', type='new', other-fields name='name2', user='def', type='type2', other-fields   Thus, for clarity it would be helpful if you could share the dataset: - 1. in tabular format 2. in sync between input and expected output.   Thank you ... View more

Hi @richgalloway, Thank you for sharing. If I modify the rex to avoid capturing empty string for field "savedsearch_name", in your opinion does that help to solve the problem of avoiding ad-hoc searches in the result? Thank you ... View more

Hi @richgalloway, It would be very helpful if you could share your inputs/feedback on the SPL that I posted. Thank you ... View more

Information fetched so far: - I asked it earlier on a separate forum and got following details from Jason Buxton: - To get details of roles and and their configurations: - |rest /services/authorization/roles splunk_server=local To fetch my details: - |rest /services/authentication/users splunk_server=local   I got following information from Miachael Camp Bentley: - index=_internal reason=* I tried to modify it as: - index=_internal reason="*quota*"  And I got output with string: - The maximum number of concurrent historical searches for this user based on their role quota has been reached. Although there were many empty fields, I fetched data from below fields: - * event_message * _raw * reason * search_id * splunk_server * splunk_server_group   However, it would be helpful if you could guide on getting more details related to events and errors along with related attributes which occur when users exceed their search quota. Thank you ... View more

Hi @cwhelan, Please share if the below code helps you get the results: -   index=_audit search_et="N/A" search_lt="N/A" user!="splunk-system-user" |rex "\s+savedsearch\_name=\"(?<searchName>[\w\d\_\-]*[^\"])" |stats count BY searchName   Thank you ... View more

Hi @Goldenfit, Can you please share the code used for defining your token? Thank you  ... View more

Based on the findings so far, I could understand following details on the fields listed in the thread description: - info: - Information about the search executed by the user. has_error_warn: - False: if no error was observed in the user's search. True: of error was observed in the user's search. fully_completed_search: - Returns true even when the user had stopped the search mid-way. total_run_time: - Total time it took for the user's search to complete. event_count: - Total number of events fetched by the user's search. result_count: - Total number of results returned by the user's search. available_count: - Total number of events available for export. scan_count: - Total number of events fetched by the user's search. drop_count: - It is returned for realtime searches only, the number of possible events that are dropped due to rt_queue_size. exec_time: - Epoch value of the timestamp at which user's search got completed or at which the user's search was stopped. api_et: - The epoch value of the time at which the search started. api_lt: - The epoch value of the time at which the search ended. is_realtime: - 0: If the search was not realtime. 1: If the search was realtime. savedsearch_name: - Saved search title that got executed. search _startup_time: - This field represents the time for a search to start up in seconds. is_prjob: - This field indicates whether the search is a pre-run search or not. app: - Splunk app used by user's search. searched_buckets: - The number of index buckets that were searched to fetch the relevant data. eliminated_buckets: - The number of index buckets that were eliminated during the search process. considered_events: - Total number of events considered during the search process. In case any one can share their inputs to better understand the above points or share the information about fields which I could not document, it would be very helpful. Thank you ... View more

Hi @somesoni2, I found you had answered a similar question in 2013: https://community.splunk.com/t5/Splunk-Search/Identify-users-and-searches-searching-over-all-time/td-p/148444 Thus, it would be very helpful if you could share your inputs on understanding the fields returned by events of the index: _audit. Thank you ... View more

Hi @Azeemering, I read your response on thread: https://community.splunk.com/t5/Monitoring-Splunk/audit-command-in-splunk/m-p/225849 about the usage of index: _audit. It would be very helpful if you could help by sharing your inputs on the fields returned by the index. Thank you ... View more

Hi @richgalloway, Thank you for sharing your prompt and detailed inputs for all the questions shared in the content. It would be very helpful, if you could also check out the below and help by sharing your details: - https://community.splunk.com/t5/Splunk-Search/How-do-I-resolve-this-Error-in-index-internal/td-p/641132 https://community.splunk.com/t5/Monitoring-Splunk/How-to-fetch-details-of-corrupted-data/m-p/638721 Thank you ... View more

For error 1, I fetched following details on https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/HowSplunkstoresindexes: - db_1611661166_1611222333_111_8X88XX8X-X8XX-88X8-888X-X88X88XX8888 db: Originating bucket 1611661166: Newest time 1611222333: Oldest time 111: localid; ID for the bucket 8X88XX8X-X8XX-88X8-888X-X88X88XX8888: guid; guid of the source peer node ... View more

Hi @richgalloway, Thank you for your prompt and detailed inputs for all the questions. ... View more

https://docs.splunk.com/Documentation/Splunk/9.0.4/Indexer/HowSplunkstoresindexes I fetched that db is for Originating bucket and rb is for Replicated bucket. ... View more