Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Avg and most common Search time frame

cboillot
Contributor
‎05-27-2021 06:32 AM

A quick search didn't find anything. I am looking to determine what the most used and avg Search window is. I.e. how far back are most of my users actually looking. Is this possible?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-27-2021 10:54 AM

Perhaps this will get you started.

index=_audit sourcetype="searchactivity:searchhistory"
| stats mode(earliest) as modeTime, avg(earliest) as avgTime
| fieldformat avgTime=strftime(avgTime,"%c")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

cboillot
Contributor
‎05-27-2021 12:50 PM

hmm... The only sourcetype I have for the audit is audittrail.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-27-2021 02:00 PM

Hmm...  Perhaps that sourcetype is unique to Splunk Cloud instances.  Here's another query to try.  It gives a list of relative times rather than a specific date, but that may be more helpful.

index=_audit "earliest=" | stats values(earliest)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...