How can we identify users who are running searches...

krishnani · ‎07-14-2016

Our problem is, some people are running searches without specifying any source types and it's causing maximum system resource utilization.

I want to warn those users not to run any search without a sourcetype. Is there a way where if a user runs any search without a sourcetype, after one minute, the search gets cancelled automatically?

Any thoughts?

gcusello · ‎07-14-2016

You should use the Distributed Management Console or the Search Activity App to see the maximum system resource utilization in searches.
In this way you could find all the worst searches in your system not only the ones without sourcetype.
Bye.
Giuseppe

gcusello · ‎09-09-2016

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

somesoni2 · ‎07-14-2016

Try something like this should help you detect users and their search which are not using index/sourcetypes

index=_audit action=search search=* sourcetype=audittrail  search=* search_id=* NOT (user=splunk-system-user ) | rex field=search "sourcetype\s*=\s*\"*(?<SourcetypeUsed>[^\s\"]+)"  | rex field=search "index\s*=\s*\"*(?<IndexUsed>[^\s\"]+)" | where isnull(IndexUsed) OR isnull(SourcetypeUsed) | table _time user search search_id

How can we identify users who are running searches without specifying sourcetypes? They are causing skipped searches in Splunk.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases