Splunk User Search Activity

This will return a table of users who conducted searches, the total time it took for searches to complete, a count of said searches, and the last time a search was conducted.

*NOTE* You will need to modify “splunk_server=local” specifically the “local” section to represent your Splunk server.

Share This:

Comments

  1. Nick Mealy

    This is a great search but the auditlog is a bit of a nightmare, in large part because autokv is on, so terms in the SPL itself get extracted (and it gets ugly when one of them is “search” or “provenance”, etc)

    I recommend checking out an app that we released recently called Sideview UI – specifically the view within that app called “user_activity”.

    The app rolls up all the info from audit on both the info=”granted” side and the info=”completed” side, folds in the introspection data as well which is pretty signifciant AND sidesteps pretty thorny autokv problems in the audit data by re-extracting from a custom search command.

    Then you get all of this data per search, but you also get stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched

    it also has a macro called “calculate pain” that will score a “pain” number for each search, and then sum up all the “pain” in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first.

    it’s up on SB here and approved for both Cloud and onprem – https://splunkbase.splunk.com/app/6449/

    and there’s a #sideview_ui channel for it in the Splunk community slack.

Leave A Comment?