how to know the search history by user, but only t...

efaundez · ‎08-21-2018

Sorry for the inconvenience, but I'm looking for a query that only shows the searches typed by users, because when I check in the audit it shows me the querys programmed.

your attention is appreciated.

regards

JDukeSplunk · ‎08-21-2018

I think the posted answer will show saved searches, and not typed searches. I use this one, which is basically the same search as the answer

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>1" 
| stats count by user search

renjith_nair · ‎08-21-2018

@efaundez,

Please find below search provided by @niketnilay in a comment in https://answers.splunk.com/answers/170477/how-do-i-get-a-list-of-all-searches-performed-in-s.html

 index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=sourcetypes | search totalCount > 0"
 | stats count by _time user search savedsearch_name  
 | where savedsearch_name=""
 | fields - savedsearch_name

---
What goes around comes around. If it helps, hit it with Karma 🙂

efaundez · ‎08-21-2018

Thanks for your answer, check the 2 queries and they are showing me searches that are stored in dashboard and programmed.

Check my history and I see many searches with | inputlookup ... which is not typed 😞

how to know the search history by user, but only the searches you type

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...