Splunk dashboard that displays User searches

  • _audit
  • You already voted!

Built this dashboard to give a high level overview of user search activity.  The search powering the dashboard is looking that the _audit index and you will need to ensure that you have proper access to the internal Splunk indexes.

The dashboard includes a TimeRange picker, radio button to include or exclude Splunk’s system user, a dynamic multiselect input for users you wish to see and a text input that will add the value typed into the search (ex: type the word opnsense to see any search that had that term included).

Hope you enjoy and find this dashboard useful.

Updated on 4/7/2022 with suggestions from a fellow co-worker (thanks josh.a) to include a few more columns and have the “Filter” box only filter on values in the “search” field.   Also renamed the Filter to Search Filter.

 

<form theme="dark" version="1.0">
  <label>Splunk Search Activity</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="time1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="radio" token="exclude1" searchWhenChanged="true">
      <label>Splunk System User</label>
      <choice value="user!=splunk-system-user">exclude</choice>
      <choice value="*">include</choice>
      <default>user!=splunk-system-user</default>
      <initialValue>user!=splunk-system-user</initialValue>
    </input>
    <input type="multiselect" token="user1">
      <label>User:</label>
      <fieldForLabel>user1</fieldForLabel>
      <fieldForValue>user</fieldForValue>
      <search>
        <query>index=_audit action=search 
search!="'typeahead*" $exclude1$ | stats count by user</query>
        <earliest>$time1.earliest$</earliest>
        <latest>$time1.latest$</latest>
      </search>
      <choice value="*">all</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <delimiter> </delimiter>
    </input>
    <input type="text" token="filter1">
      <label>Search Filter:</label>
      <default>*</default>
      <initialValue>*</initialValue>
      <prefix>"*</prefix>
      <suffix>*"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
          <earliest>$time1.earliest$</earliest>
          <latest>$time1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
Share This:
Tagged:

Leave A Comment?