hey
There are multiple ways to track user's search activity:
1) have a look at this search activity app on splunkbase:
https://splunkbase.splunk.com/app/2632/
2) The Splunk on Splunk app has some User Activity views.
Furthermore you can search the "_audit" index :
index=_audit | table _time user action info
The "_internal" index also has some sources on which to do username analytics ie:searches.log
3) Also, you can track user's search activity in the monitoring console:
go to monitoring console > search > search activity:instance > search activity > split by:user
open in search and then you can customize the query according to your need.
Refer this doc for more:
http://docs.splunk.com/Documentation/Splunk/7.0.1/DMC/SearchactivityDeploymentwide
let me know if this helps!
This app contains a dashboard for search head utilization by user with cumulative run time https://splunkbase.splunk.com/app/2678/
Splunk actually copied some of the ideas from it and incorporated them into the Splunk 7 DMC. So, if you are on the latest version of Splunk, you could use DMC for this as well.,This app contains a dashboard for search head utilisation by user with cumulative run time: https://splunkbase.splunk.com/app/2678/
Splunk actually copied some of the ideas from it and included them in the Splunk 7 DMC. So, if you have DMC setup you could use that as well.
I wrote a few dashboards for this in Alerts for Splunk Admins you could look at utilising some of the queries or you could just get an idea of what to query..., the dashboard is called "Troubleshooting Indexer CPU"
Good luck!
Wow - interesting.
hey
There are multiple ways to track user's search activity:
1) have a look at this search activity app on splunkbase:
https://splunkbase.splunk.com/app/2632/
2) The Splunk on Splunk app has some User Activity views.
Furthermore you can search the "_audit" index :
index=_audit | table _time user action info
The "_internal" index also has some sources on which to do username analytics ie:searches.log
3) Also, you can track user's search activity in the monitoring console:
go to monitoring console > search > search activity:instance > search activity > split by:user
open in search and then you can customize the query according to your need.
Refer this doc for more:
http://docs.splunk.com/Documentation/Splunk/7.0.1/DMC/SearchactivityDeploymentwide
let me know if this helps!
Per #3 -
It's a gorgeous view.
Is there a way to get this view across the cluster and not for one instance?
If there is a filter which you can allow to see this kind of functionality then look for it. Otherwise you would need to take a search...customize the main search to look for all the instances. I think there a filter to search for all the groups at the top..just play with the dashboard, you should get the desired results !
Thanks.