Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search user search history by keyword

kteng2024
Path Finder
‎09-01-2017 10:54 AM

Hi there,

Is there any way to find out who are the users queried for a particular word in Splunk? For example, i would like to find out all the users who queried for a word called "apple" or whose queries contain a word "apple" .

Thank you

0 Karma
Reply

lguinn2
Legend
‎09-01-2017 11:09 AM

If you are able to see the _audit index (usually that means that you have admin priviledges), you can search the content of user searches.

Something like

index=_audit sourcetype=audittrail action=search user!="splunk-system-user" "search=" YOURWORDHERE

should work.

Just be aware that the search you just ran will also show up in the list! 😄

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎09-01-2017 11:05 AM

Yes, it is in the internal audit index.

index=_audit action=search search=*apple* | table _time,user,search

0 Karma
Reply

kteng2024
Path Finder
‎09-01-2017 11:13 AM

Thank you for the reply.. but for some the searches i don't see the userID .

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎09-01-2017 11:46 AM

There should be a field called user, is it showing up as a blank column?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...