Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find user saved searches

sanju005ind
Communicator
‎02-15-2011 10:55 AM

Given a splunk username how do i search for the following.

The roles that the user has - The last 15 searches performed - Any saved searches

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 05:19 PM

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

View solution in original post

Reply
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 05:19 PM

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

Reply
Solved! Jump to solution

sanju005ind
Communicator
‎02-15-2011 01:43 PM

Sorry Saved searches created.

0 Karma
Reply
Solved! Jump to solution

sanju005ind
Communicator
‎02-15-2011 01:37 PM

Checking the index=_audit gives the recently used. However what about those searches that are never executed.Need a list of all the searches the user has created.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...