Does anyone know of a way to search all search histories containing |multisearch? Based on the previous answer, this query shows all searches using multisearch as a seperate row.
For example this multisearch below would show up as two seperate searches in the search history rather than 1 containing the word multisearch
|multisearch
[search 1]
[search 2]
https://answers.splunk.com/answers/12477/get-users-search-history.html
index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user
↧