Given a splunk username how do i search for the following.
The roles that the user has - The last 15 searches performed - Any saved searches
Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd
describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.
As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default
], $SPLUNK_HOME/etc/apps/<app>/[local|default]
, and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf
You could extrapolate that a user is creating a saved search, using the data in index=_audit.
Without any additional work, you can see very clearly what searches and saved searches are being run:
Saved Searches:
index="_internal" sourcetype="scheduler"
Manual Searches:
index="_internal" sourcetype="searches"
HTH,
ron
Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd
describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.
As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default
], $SPLUNK_HOME/etc/apps/<app>/[local|default]
, and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf
You could extrapolate that a user is creating a saved search, using the data in index=_audit.
Without any additional work, you can see very clearly what searches and saved searches are being run:
Saved Searches:
index="_internal" sourcetype="scheduler"
Manual Searches:
index="_internal" sourcetype="searches"
HTH,
ron
Sorry Saved searches created.
Checking the index=_audit gives the recently used. However what about those searches that are never executed.Need a list of all the searches the user has created.