How Splunk admin can find a search executed by use...

anilyelmar · ‎01-18-2019

How Splunk admin can find a search executed by user which causing SearchResults - Corrupt csv header, 2 columns with the same name '__mv_Calling_Station_Identifier' (col #xx and #xxx, #xxx will be ignored)

dkeck · ‎01-18-2019

Hi,

I am not sure I get your question, but if you ask where you can find executed searches in splunkd log. then have a look at

index=_audit action="search" search=* NOT user="splunk-system-user"

also refer to

https://answers.splunk.com/answers/151378/why-history-command-only-shows-my-searches-not-searches-ru...

Please accept the answer if it was helpful thank you 🙂

anilyelmar · ‎01-18-2019

thanks , let me clarify my question: I do see a lot of errors in my search head internal logs as "SearchResults - Corrupt csv header, 2 columns with the same name '__mv_Calling_Station_Identifier' (col #xx and #xxx, #xxx will be ignored)" which means I have some users running ad-hoc/scheduled searches and resulting duplicate field names like ...|fields a b c a d b e ( here a and b are duplicated unnecessary)
I have hundreds of users running thousands of searches daily and its impossible to look manually each of them for above issue) I am looking a way to identify those users and their search strings.

How Splunk admin can find a search executed by user which causing SearchResults - Corrupt csv header, 2 columns with the same name '__mv_Calling_Station_Identifier' (col #xx and #xxx, #xxx will be ignored)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life