Sorry for the inconvenience, but I'm looking for a query that only shows the searches typed by users, because when I check in the audit it shows me the querys programmed.
your attention is appreciated.
regards
I think the posted answer will show saved searches, and not typed searches. I use this one, which is basically the same search as the answer
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>1"
| stats count by user search
@efaundez,
Please find below search provided by @niketnilay in a comment in https://answers.splunk.com/answers/170477/how-do-i-get-a-list-of-all-searches-performed-in-s.html
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=sourcetypes | search totalCount > 0"
| stats count by _time user search savedsearch_name
| where savedsearch_name=""
| fields - savedsearch_name
Thanks for your answer, check the 2 queries and they are showing me searches that are stored in dashboard and programmed.
Check my history and I see many searches with | inputlookup ... which is not typed 😞