Show Searches with Details (Who | When | What)

The following Splunk search will show a list of searches ran on a splunk server with the following details:

  • Who ran the search
  • What sourcetype was used
  • What index was used
  • What the search string was
  • When the search was last ran
index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*"
| rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))"
| rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" 
| rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)"
| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed
| convert ctime(Latest)
Share This:

Comments

  1. Javier Palacian

    Hi,

    I’ve added a fillnull to your query, because if the users don’t use sourcetype or index you miss them in the results…

    index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!=”‘typeahead*”
    | rex “search\=\'(search|\s+)\s(?P[\n\S\s]+?(?=\’))”
    | rex field=search “sourcetype\s*=\s*\”*(?[^\s\”]+)”
    | rex field=search “index\s*=\s*\”*(?[^\s\”]+)”
    | fillnull value=” ”
    | stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed
    | sort – Latest
    | convert ctime(Latest)

Leave A Comment?