The following Splunk search will show a list of searches ran on a splunk server with the following details:
- Who ran the search
- What sourcetype was used
- What index was used
- What the search string was
- When the search was last ran
index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*" | rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))" | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed | convert ctime(Latest)
Hi,
I’ve added a fillnull to your query, because if the users don’t use sourcetype or index you miss them in the results…
index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!=”‘typeahead*”
| rex “search\=\'(search|\s+)\s(?P[\n\S\s]+?(?=\’))”
| rex field=search “sourcetype\s*=\s*\”*(?[^\s\”]+)”
| rex field=search “index\s*=\s*\”*(?[^\s\”]+)”
| fillnull value=” ”
| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed
| sort – Latest
| convert ctime(Latest)
Thanks!! Good call :)
is any one working on audit activityb dashboard?