The following Splunk search will show a list of searches ran on a splunk server with the following details: Who ran the search What sourcetype was used What index was used What the search string was When the search was last ran
|
1 2 3 4 5 6 |
index=_audit action=search sourcetype=audittrail search_id=* NOT (user=splunk-system-user) search!="'typeahead*" | rex "search\=\'(search|\s+)\s(?P<search>[\n\S\s]+?(?=\'))" | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | stats latest(_time) as Latest by user search SourcetypeUsed IndexUsed | convert ctime(Latest) |
