Splunk User Search Activity

This is a great search but the auditlog is a bit of a nightmare, in large part because autokv is on, so terms in the SPL itself get extracted (and it gets ugly when one of them is \"search\" or \"provenance\", etc)\r\n\r\nI recommend checking out an app that we released recently called Sideview UI - specifically the view within that app called \"user_activity\".\r\n\r\nThe app rolls up all the info from audit on both the info=\"granted\" side and the info=\"completed\" side, folds in the introspection data as well which is pretty signifciant AND sidesteps pretty thorny autokv problems in the audit data by re-extracting from a custom search command. \r\n\r\nThen you get all of this data per search, but you also get stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched\r\n\r\nit also has a macro called \"calculate pain\" that will score a \"pain\" number for each search, and then sum up all the \"pain\" in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first.\r\n\r\nit's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/\r\n\r\nand there's a #sideview_ui channel for it in the Splunk community slack.