Detailed User Activity

index=_* search=* user=* user!=- user!=splunk-system-user
| rex field=search max_match=0 "index\s*=[\s\"]*(?<idx1>.*?)[\|\s\"\)]" 
| rex field=search max_match=0 "[\+\(|\+]index\%3D(?<idx2>.*?)[\+|\)\+]"
| eval idx=if(isnull(idx1), idx2, idx1)
| eval frequency=if(source="/opt/splunk/var/log/splunk/splunkd_access.log", "scheduled", "ad-hoc")
| eval type=if(match(search, "summary*"), "summary", type1)
| eval idx=if(isnull(idx), "NONE", idx)
| eval end_type=if(frequency="ad-hoc", "ad-hoc", type)
| rename end_type as type
| table _time frequency type source user idx search
| bin _time span=1h
| stats count as count by _time idx user frequency type search
Share This:


  1. Doris

    when running this command in hopes of capturing user activity I get an error messages indicating “The regex”field” does not extract anything. It should specify at least one name group Format(?…).

    1. Jeff


      You might want to copy the search to notepad/notepad++ first as I’ve noticed in general when trying to copy/paste searches some of the special characters don’t get copied correctly.

      I copied this search to notepad++ and then copied from there to Splunk and was able to run the search

Leave A Comment?