The following Splunk query is for the DBConnect app. This will return all user activity using this particular app. I’ve provided the regex in the search. index=_audit sourcetype=audittrail action=”db_connect*” |eval Date=strftime(_time, “%Y/%d/%m”) |rex “user=(?<user>\S+),” | stats count by Date, user, info, action
Queries Executed in DBConnect
This Splunk query will show the DBX or DBConnect queries executed. I have limited information to work with so check back for updates. Disclaimer – I’m using rex to replace HTML markup that is outputted and ingested by splunk. You may need to add to or remove this depending on your output (see query […]
Splunk Server Restart Duration
As titled, the following Splunk search query will show the restart duration (using the transaction command) of the Splunk service itself. index=_audit (action=”splunkShuttingDown” OR action=”splunkStarting”) | eval Date=strftime(_time, “%Y/%m/%d”) | transaction splunk_server startswith=action=”splunkShuttingDown” endswith=action=”splunkStarting” | eval duration=round(duration/60, 2) |table Date splunk_server duration| rename duration as “Splunk Restart Duration” splunk_server as “Splunk Server”
Splunk Query to report on users logging on to the Splunk Web Console
index=_audit tag=authentication info=succeeded |dedup user | table user timestamp
Splunk User Search Activity
This will return a table of users who conducted searches, the total time it took for searches to complete, a count of said searches, and the last time a search was conducted. *NOTE* You will need to modify “splunk_server=local” specifically the “local” section to represent your Splunk server. index=_audit splunk_server=local action=search (id=* OR search_id=*) | […]
List of Login Attempts to Splunk
This will return a list of users who attempted to login to the splunk searchhead. It will list both successful attempts and failed attempts. index=_audit tag=authentication | stats count by user, info | sort – info
Internal Splunk User Modifications
This query will search the internal audit sourcetype of splunk and report on any user modification attempts, both success and fail. index=_audit sourcetype=audittrail action=edit_user | eval Date=strftime(_time, “%Y/%m/%d”) |where user!=object| stats count by user, info, object, Date | rename user as “Authenticated User” | rename info as “Success Status” | rename object as “Modified Account” […]
