Splunk search for Details on searches by user

Copy
index=_audit splunk_server=local action=search (id=* OR search_id=*) search_id!=scheduler* user!=splunk-system-user | eval search_id = if(isnull(search_id), id, search_id) | rex "search='search\s(?<search>.*?)',\sautojoin" | eval user = if(user="n/a", null, user) | stats sum(total_run_time) as "Total Time Spent Searching (sec)", count as "# of Searches", max(_time) as "Last Search Time" by user | eval "Avg Search Duration (sec)"='Total Time Spent Searching (sec)'/'# of Searches' | fieldformat "Last Search Time" = strftime('Last Search Time', "%b %d, %Y %H:%M:%S")
This search will provide details on search activity of users. It will output a table that shows how much time each user has spent running searches, how many searches they have run, their average search duration and their most recent search. This will not include any scheduled searches.
0 comments

Category:

General Splunk


Tags:

administration audit

Search Commands:

Sign in or Register to submit a comment