Splunk Usage Audit Report

itsmevic · ‎01-02-2020

Hi fellow Splunkers,

I am needing a report which provides audit metrics on the time a Splunk user spends in an app; any searches they ran, and anything else.  The more detail, the better.  Any help with this is GREATLY appreciated.  THANK YOU SO MUCH!

bandit · ‎01-04-2020

Query which will give the number of seconds and human readable time_spent on a splunk page. You may need to tweak the transaction parameters such as maxspan and maxpause etc. to your liking.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

index=_internal sourcetype=splunk_web_access uri_path="/en-US/app/*" * user!="-" 
| rex field=uri_path "/app/(?<splunk_app>[^/]+)/(?<splunk_view>[^/]+)" 
| eval splunk_page=splunk_app+"-"+splunk_view 
| transaction maxpause=60s user splunk_page 
| stats sum(duration) as duration by user splunk_page 
| eval time_spent=tostring(duration, "duration")
| search duration > 0

bandit · ‎01-02-2020

@itsmevic here's an image showing the original source on the left side and it gets modified once I post to Splunk Answers to the right side. Possibly Chrome is encoding/decoding a few characters causing the error.

itsmevic · ‎01-03-2020

Rob, these queries just aren't running for some reason, still getting the same error message as mentioned. Listen, i don't want to take up any more of your time but truely appreciate you trying to help me. I'm going to award you the points anyway for your efforts. Thank you.

bandit · ‎01-04-2020

Hi @itsmevic I've vetted on a generic Splunk lab server and re-uploaded the files linked above a few minutes back. This time I did a direct copy vs copying and pasting in the browser. Hopefully they render for you now. If not, let me know I can can just paste some of the searches directly instead of the dashboards.

Rob

itsmevic · ‎01-04-2020

Rob, thank you for your continued assistance with this. I do appreciate greatly the time and effort you are giving towards this endeavor. I've tried running the queries through again and am getting the same error:

Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left-hand side.

bandit · ‎01-04-2020

Search 1

index=_audit sourcetype=audittrail
     | fillnull value=NULL
     | table _time host user action info

Search 2

index=_audit sourcetype=audittrail 
| fillnull value=NULL 
| table _time host user action info _raw 
| transaction user action
| table _time duration host user action info _raw

Search 3

index=_internal sourcetype=splunk_web_access uri_path="/en-US/app/*" * user!="-" 
| rex field=uri_path "/app/(?<splunk_app>[^/]+)/(?<splunk_view>[^/]+)" 
| eval splunk_page=splunk_app+"-"+splunk_view 
| top 100 user splunk_page

itsmevic · ‎01-06-2020

Thanks for all your help, Rob!

bandit · ‎01-02-2020

Here's a dashboard that will give some stats on the apps and dashboards that are being used.

Adding a download link as I could not get formatting preserved.
https://downloads.jordan2000.com/splunk/dashboards/popular_views.xml

itsmevic · ‎01-02-2020

Unfortunately, the same response with this one too:

"Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left hand side.
The search job has failed due to an error. You may be able view the job in the Job Inspector."

bandit · ‎01-03-2020

Adding a download link as I could not get formatting preserved when I post to Splunk Answers.
https://downloads.jordan2000.com/splunk/dashboards/activity_audit.xml

Adding a download link as I could not get formatting preserved when I post to Splunk Answers.
https://downloads.jordan2000.com/splunk/dashboards/popular_views.xml

bandit · ‎01-02-2020

Here's a dashboard that will give some of the activity audit you are requesting.

Adding a download link as I could not get formatting preserved. https://downloads.jordan2000.com/splunk/dashboards/activity_audit.xml

itsmevic · ‎01-02-2020

Thanks, Rob.

Wow! Now, thats a search! Unfortunately, when I ran it, it is giving me this error:

"Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left-hand side."

I went through the query but didn't see anything abnormal. I've over-looked it somewhere within then 819 lines of SPL. By chance, would you be able to pinpoint it?

bandit · ‎01-02-2020

I think it's line 127. When I post here, it URL decodes the dashboard source where as when I view my dashboard's source in Splunk it has the &lt and &gt

original source:
| rex field=id "/users/(?&lt;user&gt;.+)$"

itsmevic · ‎01-03-2020

Thanks for the response, Rob. I basically copied and pasted your original source to the query itself but unfortunately, Splunk is still choking. Getting same error:

"Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left-hand side."

This query looks like it pulls some meaningful info. I am excited to see first hand if we can get it to work.

bandit · ‎01-02-2020

Take a look at the builtin Splunk Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview - it has many reports already built which you could copy and customize to your needs.

Splunk Usage Audit Report

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes