SPL
Show Searches with Details (Who | When | What)
Description
The following Splunk search will show a list of searches ran on a splunk server with the following details:
- Who ran the search
- What sourcetype was used
- What index was used
- What the search string was
- When the search was last ran
16 0
index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*" | rex "search\=\'(search|\s+)\s(?P<search>[ \S\s]+?(?=\'))" | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed | convert ctime(Latest)
Comments
3 total
Hi,\r\n\r\nI've added a fillnull to your query, because if the users don't use sourcetype or index you miss them in the results...\r\n\r\nindex=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!=\"'typeahead*\"\r\n| rex \"search\=\'(search|\s+)\s(?P[\n\S\s]+?(?=\'))\"\r\n| rex field=search \"sourcetype\s*=\s*\\"*(?[^\s\\"]+)\" \r\n| rex field=search \"index\s*=\s*\\"*(?[^\s\\"]+)\"\r\n| fillnull value=\" \"\r\n| stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed\r\n| sort - Latest\r\n| convert ctime(Latest)
Thanks!! Good call :)
is any one working on audit activityb dashboard?
Leave a comment
You must log in to post a comment.