I am attempting to create a search that would pull information about search usage. I have an index generated off of this:
| rest /servicesNS/-/-/saved/searches splunk_server=local
| rename "eai:acl.app" AS app
| rename "eai:acl.owner" AS owner
| table title,app,owner
I have searched and cannot find a way to add a time stamp for searches.
Thanks for your help,
Ernie
you can write a particulear user-name
index=_audit action=search user=user-name | stats latest(_time) as LastRun by user | convert ctime(LastRun)
or, for all usernames (without splunk-system-user and splunk_alert_scheduler, the saved search user accounts)
index=_audit action=search user!=splunk* | stats latest(_time) as LastRun by user | convert ctime(LastRun)
Are searches time stamped when they are initiated? If they are where is that time stamp saved, maybe I can write up a script to draw it out?
Thanks,
Ernie
Hi Ernie,
have you taken a look at this app yet? It may contain all the things you are trying to build, and then some.
I don't believe the REST endpoint will capture the last run time of each search, if that is what you are after. For getting that, you will have to search index=_audit similar to this (will need tweaking): index=_audit action=search savedsearch_name="*" | stats latest(_time) as LastRun by savedsearch_name | convert ctime(LastRun)
I would definitely take a look at the app mentioned above, if only to give you an idea of where to find the relevant data for your use case.
This search works really well, but all I get is the scheduled searches that populate. I run a lot of different searches manually and they do not show up in this report. Any other suggestions?
Thanks,
Ernie
Sorry, your initial question suggested you are only interested in finding saved search information. You can remove savedsearch_name="*" from the search string and find a different field to group by to include all search activity, as @inventsekar points out below.
I have tried all different variations of searches, but I still get only the saved searches and not all the searches run. Is there a file that I can rip some of that info from? Is there some other search format I can try other than rest or index=audit source=audittrail?
Thanks,
Ernie