Splunk Search

| History & User

behymejt2012
Path Finder

Hi Everyone,

Utilizing | History to show all the Jobs running/completed is great, but I am unable to make a connection to who actually started the Job.

Does anyone have any suggestions to see what searches where performed by a user?

Thanks!

Tags (1)
0 Karma

aholzer
Motivator

Try using the index=_audit instead of "| history".

The _audit index contains a user field, an action field (that you should set to action=search, to only look at searches) and should show you the search run in the "search" field.

Something like:
index=_audit action=search search=* | table _time, search, user

You can also run stats and the like once you get the base search down.

Hope this helps.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The history command only looks at your own past searches, it's what is used to compute the suggestions of recent searches that come up when you type.

In order to look at other users' searches you can inspect the _audit index. There are some pre-built searches in the SoS app, you can work your way from there or just start browsing the index, look for the field search - maybe saved_search as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...