How to backup the search queries of a user/admin in splunk ?
How to backup all the search queries of a user or admin in splunk enterprise.
Hi @ppilla,
It's very important to keep a backup of all the searches you use. There's an official documentation on how to backup Splunk knowledge objects that you can find here :
https://docs.splunk.com/Documentation/CoE/ssf/Handbook/ConfigBackup
https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Backupconfigurations
Also if you want to go through all the searches that have been executed on Splunk then you can have a look at the _audit
index.
Cheers,
David
Splunk stores all the auditTrail (searches/savedsearches etc.). It is stored under index=_audit
A simple search would be
(index=_audit search_group=* action=search sourcetype=audittrail search_id!="rsa_*")
| fillnull value=NA search
| stats count by user,search
But you can extend it to any fields
So if you need to backup, you can
1. backup the whole _audit index
2. Run a specific query on regular basis and do an outputlookup to a CSV file and back this up.
you have the queries saved for a certain amount of time
you can click on Expand your search history
another option will be to run the history
command and collect
to a summary index on a regular basis
see links:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Interactivesearchhistory
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/History
hope it helps