Hi, I wonder whether someone may be able to help me please.
I was using the query below to return details of all the searches performed which was great because I could extract the user, run time of the search and 'earliest' and 'latest' dates used in the query.
|rest /services/search/jobs
|search NOT (author="splunk-system-user" OR author="monitoring")
|search title!=""
The problem is, is that this doesn't give me the details for all the searches run.
So I started using the following:
index=_audit action="search" search=*
| search NOT (user="splunk-system-user" OR user="monitoring")
But the problem with this is that I can't retrieve all the 'earliest' and 'latest' dates, and so far I've been unable to find the run time audit event for the query.
Could someone tell me please is there a query which returns all of the searches within a given time period which also provides the dates and run times I need.
Many thanks and Kind Regards
Chris
Use the following query
index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring"
This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)
Use the following query
index=_audit action=search info=completed user!="splunk-system-user" user!="monitoring"
This gives you fields you need: user, total_run_time, search_et (earliest), search_lt (latest)
Hi @somesoni2, that's great thank you very much, this is exactly what I was after.
Kind Regards
Chris