how to know the search history by user, but only t...

efaundez · ‎08-21-2018

Sorry for the inconvenience, but I'm looking for a query that only shows the searches typed by users, because when I check in the audit it shows me the querys programmed.

your attention is appreciated.

regards

JDukeSplunk · ‎08-21-2018

I think the posted answer will show saved searches, and not typed searches. I use this one, which is basically the same search as the answer

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>1" 
| stats count by user search

renjith_nair · ‎08-21-2018

@efaundez,

Please find below search provided by @niketnilay in a comment in https://answers.splunk.com/answers/170477/how-do-i-get-a-list-of-all-searches-performed-in-s.html

 index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=sourcetypes | search totalCount > 0"
 | stats count by _time user search savedsearch_name  
 | where savedsearch_name=""
 | fields - savedsearch_name

Happy Splunking!

efaundez · ‎08-21-2018

Thanks for your answer, check the 2 queries and they are showing me searches that are stored in dashboard and programmed.

Check my history and I see many searches with | inputlookup ... which is not typed 😞

how to know the search history by user, but only the searches you type

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes