Splunk search for Details on Ad-hoc Searches Run by Users

Copy
index=_audit action=search search=* user!=splunk-system-user provenance!=scheduler | table _time user search host total_run_time result_count | sort - _time
This Splunk search will return a table showing information on ad-hoc searches that have been run by users within your Splunk environment. The search will return: _time, user, search, host, total_run_time, result_count. This can be useful for keeping track of who is in your environment, how efficient the searches are that are being run, etc...
0 comments

Category:

General Splunk


Tags:

search audit _internal splunk search ad hoc search ad-hoc search

Search Commands:

Sign in or Register to submit a comment