Security

Why is the user shown in the results is not the user who is running the query?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I'm running the query below to obtain information about searches that are being run on Splunk and the query works fine.

|rest /services/search/jobs  
|rename custom.search as customSearch  
|search NOT author="splunk-system-user"  
|eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
|search SearchString!=""

The problem I have is that the user shown in the results is not the user who is running the query, often through an app, but rather the owner of the app and developer of the query i.e. me.

So I tried another query I found (see below) which does extract the person who is performing the search, but unlike the first query doesn't report the time range used and the duration of the search, well not that I can find.

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort user | fields user search _time

Could someone tell me please it possible to use a query which will retrieve the following data:

  • Owner of search
  • User of search
  • Search
  • Date Range Used In Search
  • Duration of the search
  • App Used

Many thanks and kind regards

Chris

Labels (1)
0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Hi,

Trying joining both queries with search_id and see if that helps:

index=_audit action=search info=granted search=* 
    NOT "search_id='scheduler" 
    NOT "search='|history" 
    NOT "user=splunk-system-user" 
    NOT "search='typeahead" 
    NOT "search='| metadata type=* | search totalCount>0"
| fields user, search, _time, search_id
| eval search_id = trim(replace(search_id, "\'", ""))
| join search_id [
    | rest /services/search/jobs
    | search NOT author="splunk-system-user"
    | rename custom.search as customSearch, sid AS search_id  
    | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
    | search SearchString!=""
    | eval search_id = trim(replace(search_id, "\'", ""))
]

View solution in original post

sideview
SplunkTrust
SplunkTrust

This is a pretty complex problem - part of the puzzle is in the audit log's info="granted" event,  another part is in the audit log's info="completed" event,   even more of it is over in the introspection index.

Then of course for jobs that still exist on the filesystem there is a wealth more info you can get from the rest command or by a custom search command that inspects info.csv and status.csv.

I recommend checking out an app that we released recently called Sideview UI -   specifically the view within that app called "user_activity".

This will do all of this for you,  sidestep pretty thorny autokv problems in the audit data,  and not just give you all of this per search, but also present stats and rollups by user,  app, dashboard,   even by sourcetypes-that-were-actually-searched

it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user,  by-app,  by-sourcetype rollups etc.   So that admins can try and pick off the worst offenders first.

it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/

and there's a #sideview_ui channel for it in the community slack.

0 Karma

chimell
Motivator

Hi
try this

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" |table *

and specify certains information that you want for example see the following

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" |table user search maxtime timestamp

![alt text][1]

IRHM73
Motivator

Hi @chimell, thank you for taking the time to come back to me with this and my apologies for not replying sooner.

The query works great.

Many thanks and kind regards

Chris

0 Karma

josf999
New Member

@Chimell
Thanks a lot.Your query works great....

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Trying joining both queries with search_id and see if that helps:

index=_audit action=search info=granted search=* 
    NOT "search_id='scheduler" 
    NOT "search='|history" 
    NOT "user=splunk-system-user" 
    NOT "search='typeahead" 
    NOT "search='| metadata type=* | search totalCount>0"
| fields user, search, _time, search_id
| eval search_id = trim(replace(search_id, "\'", ""))
| join search_id [
    | rest /services/search/jobs
    | search NOT author="splunk-system-user"
    | rename custom.search as customSearch, sid AS search_id  
    | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)  
    | search SearchString!=""
    | eval search_id = trim(replace(search_id, "\'", ""))
]

IRHM73
Motivator

Hi @javiergn, thank you for taking the time to come back to me with this and my apologies for not coming back to you sooner.

The query works great and returns the information I need.

Once again many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...