Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

text of previous searches

ccsfdave
Builder
‎05-30-2013 10:19 AM

Greetings,

I am looking for a way to output previous search parameters. I am running:

index=_audit action=search "splunk username"

The results are finding searches performed by that user but are not displaying the actual search themselves. Is there a way I can show this? Specifically, I want to see if anyone has piped to delete.

As a second question, a role with only delete_by_keyword was created which may have been used. What permission allows my power users to create roles? Is there a way to see who created that role and when? Finally, can I tell what users have been in that role?

Thanks.

Tags (2)
0 Karma
Reply

jaxjohnny2000
Builder
‎12-27-2018 10:53 AM

index=_audit delete
| where match(_raw,"\d+, user=\S+, action=delete_by_keyword,") OR match(search,"|.*delete\'")
| stats min(_time) as time values(action) as action,values(search) as search by user
| convert ctime(*time)

0 Karma
Reply

aholzer
Motivator
‎05-30-2013 11:15 AM

That's quite a few questions you got there

  • "...not displaying the actual search themselves. Is there a way I can show this?"

If you add search=* at the end of your query, it should return only those _audit messages with the search field included

index=_audit action=search "splunk username" search=*
  • "Specifically, I want to see if anyone has piped to delete."

instead of search=* you can do something like search="*|*delete*". This will look for all _audit messages that contain a pipe and the word "delete" anywhere in the search field

index=_audit action=search "splunk username" search="*|*delete*"
  • "What permission allows my power users to create roles?"

The Capability is "edit_roles"

  • "Is there a way to see who created that role and when?"

This one I don't know, sorry. As far as I know, there is no way of doing this. Unless it was the last role added in which case you could look in your file system and look at the last modified date for the permissions file.

EDIT: I think I may have just figured it out. If you go to $SPLUNK_HOME/var/log/splunk/audit.log and search through for "action=edit_role" or "action=*role*" you should get all users that have ever editted / created roles. You can probably also simply search for the name of the role and you should see when it was created.

  • "Finally, can I tell what users have been in that role?"

You'll have to walk through each of your users and see if they have the role you are looking for. You can probably do this via a simple grep command in Linux, or some form of search in Windows across your permission files.

Hope this helps

Reply

aholzer
Motivator
‎05-30-2013 11:45 AM

I was worried about that. Just so you know everything that gets written to the audit.log, should be written to your index=_audit. So you should be able to use that to look at older entries (possibly "all-time") for your culprit.

Happy huntings 🙂

0 Karma
Reply

ccsfdave
Builder
‎05-30-2013 11:38 AM

Thanks for this. My audit logs seems awfully small. I did a search for the rogue role and found it but only me looking at and removing it today.

Just to make sure I knew what I was looking for I created a new role of nonsense name and deleted it then found it in the logs. I then searched all the audit logs for: operation=create but only found today's test.

Thanks again for the help

Reply

aholzer
Motivator
‎05-30-2013 11:30 AM

I think I may have just figured out how to get which user created the "delete_by_keyword" role.

If you go to $SPLUNK_HOME/var/log/splunk/audit.log and search through for "action=edit_role" or "action=role" you should get all users that have ever editted / created roles.

You can probably also simply search for the name of the role and you should see when it was created.

I have edited my original answer to show these two things.

0 Karma
Reply

aholzer
Motivator
‎05-30-2013 11:24 AM

Just FYI - I don't think that the power users come with the "edit_roles" capability by default. So if your "power" role has that capability, someone may have added it. If it doesn't, then someone with the "admin" role was the one that created that "delete_by_keyword" role.

0 Karma
Reply

ccsfdave
Builder
‎05-30-2013 11:19 AM

Thanks aholzer! I think these answers will mostly set my mind at ease. I am concerned over who may have created the role but I am going to double check my power users for the edit_roles and then change the admin passwd.

Cheers!

Dave

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...