Hi there,
Is there any way to find out who are the users queried for a particular word in Splunk? For example, i would like to find out all the users who queried for a word called "apple" or whose queries contain a word "apple" .
Thank you
If you are able to see the _audit index (usually that means that you have admin priviledges), you can search the content of user searches.
Something like
index=_audit sourcetype=audittrail action=search user!="splunk-system-user" "search=" YOURWORDHERE
should work.
Just be aware that the search you just ran will also show up in the list! 😄
Yes, it is in the internal audit index.
index=_audit action=search search=*apple* | table _time,user,search
Thank you for the reply.. but for some the searches i don't see the userID .
There should be a field called user, is it showing up as a blank column?