Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes?

cass_major
Engager
‎06-19-2023 11:15 PM

Hello,

Could anyone offer an example/advice on some SPL for tracking down users running AD-HOC searches that search on all indexes please?

Thank you

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 01:12 AM

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 01:12 AM

Hi

you could try something like this

index=_audit action=search user=* search=*
| fields _time user action info search_type search_id search
| where (match(search,"index\s*=[\w\s,]*\*"))
| fillnull value="N/A" search_type
| stats max(_time) as _time values(user) as user values(action) as action values(info) as info values(search_type) as search_type first(search) as search by search_id
| where search_type IN ("ad hoc", "N/A")

In earlier versions search_type was always "ad hoc" for AD-HOC searches, but currently it seems to be sometimes also NULL. 

You should also check that "where (match(...." that it's regex match all those different possibilities how your users are writing index=*

r. Ismo

0 Karma
Reply
Solved! Jump to solution

cass_major
Engager
‎06-20-2023 07:05 PM

Thank you isoutamo. Any advice how to drill down to a particular user with the SPL? I am trying to find anyone who isn't properly constraining their searches by index.

Cheers,

Cass

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-20-2023 11:52 PM

The above SPL shows to you all those ad-hoc queries (not saved searches like alerts etc.). You can see the users who are running those. Just limit searches by user etc. and you probably get what you are wanting.

One good tool is MC which helps you to find long running or other expensive queries.

There is also some apps on splunkbase and in GitHub which you could use for that:

There are lot of other apps on net which you could try and get more information about what is happening on your environment.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...