Splunk search for List of searches run

Copy
index=_audit action=search sourcetype=audittrail search_id=* search!="'typeahead*" NOT (user=splunk-system-user) | rex field=_raw "search\=(?P<search>.*)\]\[n\/a\]$" | rex field=search "sourcetype\s*=\s*\"*(?<thisSourcetype>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<thisIndex>[^\s\"]+)" | stats latest(_time) as Latest by user search thisSourcetype thisIndex | sort - Latest | eval Latest=strftime(Latest,"%b %d, %Y %H:%M:%S") | rename thisSourcetype as Sourcetype, thisIndex as Index
This search will output details on all searches run within the schedule window. The search will output the user who ran the search, the search query, the sourcetype and the index.
0 comments

Category:

General Splunk


Tags:

audit administration

Search Commands:

Sign in or Register to submit a comment