Splunk Search

Find user saved searches

sanju005ind
Communicator

Given a splunk username how do i search for the following.

The roles that the user has - The last 15 searches performed - Any saved searches

Tags (1)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

Splunk doesn't normally index user role data. $SPLUNK_HOME/etc/passwd describes the local Splunk users, but where external authentication is used (i.e. AD, LDAP, RADIUS), you would use a scripted input to index role data, or you would use an external lookup.

As for enumerating all saved searches for a user, these files aren't normally indexed either. savedsearches.conf can be found in a number of places, like $SPLUNK_HOME/etc/system/[local|default], $SPLUNK_HOME/etc/apps/<app>/[local|default], and $SPLUNK_HOME/etc/users/<user>/app/local/savedsearches.conf

You could extrapolate that a user is creating a saved search, using the data in index=_audit.

Without any additional work, you can see very clearly what searches and saved searches are being run:

Saved Searches:

index="_internal" sourcetype="scheduler"

Manual Searches:

index="_internal" sourcetype="searches"

HTH,
ron

sanju005ind
Communicator

Sorry Saved searches created.

0 Karma

sanju005ind
Communicator

Checking the index=_audit gives the recently used. However what about those searches that are never executed.Need a list of all the searches the user has created.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...