Hi,
I wonder whether someone may be able to help me please.
I'm running the query below to obtain information about searches that are being run on Splunk and the query works fine.
|rest /services/search/jobs
|rename custom.search as customSearch
|search NOT author="splunk-system-user"
|eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch)
|search SearchString!=""
The problem I have is that the user shown in the results is not the user who is running the query, often through an app, but rather the owner of the app and developer of the query i.e. me.
So I tried another query I found (see below) which does extract the person who is performing the search, but unlike the first query doesn't report the time range used and the duration of the search, well not that I can find.
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort user | fields user search _time
Could someone tell me please it possible to use a query which will retrieve the following data:
- Owner of search
- User of search
- Search
- Date Range Used In Search
- Duration of the search
- App Used
Many thanks and kind regards
Chris
↧