index=_audit action="log*" | stats count as Attempts by user, info | rename info as "Outcome"
0 comments
index=_audit sourcetype=audittrail action="db_connect_execute_query" | rex field=_raw "\sREST:\s\/db_connect\/query\/.+SELECT(?<Query>.+)].\w\S\w]" | eval Query=urldecode(Query) | table timestamp user Query
0 comments
index=_audit splunk_server=local action=search (id=* OR search_id=*) search_id!=scheduler* user!=splunk-system-user | eval search_id = if(isnull(search_id), id, search_id) | rex "search='search\s(?<search>.*?)',\sautojoin" | eval user = if(user="n/a", null, user) | stats sum(total_run_time) as "Total Time Spent Searching (sec)", count as "# of Searches", max(_time) as "Last Search Time" by user | eval "Avg Search Duration (sec)"='Total Time Spent Searching (sec)'/'# of Searches' | fieldformat "Last Search Time" = strftime('Last Search Time', "%b %d, %Y %H:%M:%S")
0 comments
index=_audit sourcetype=audittrail action=edit_user | eval Date=strftime(_time, "%b %d, %Y") |where user!=object| stats count by user, info, object, Date | rename user as User | rename info as "Status" | rename object as "Target Account" | sort - count
0 comments
| rest /servicesNS/-/-/data/ui/views splunk_server=* | search isDashboard=1 | rename eai:acl.app as app | fields title app | join type=left title [| search index=_internal sourcetype=splunk_web_access host=* user=* | rex field=uri_path ".*/(?<title>[^/]*)$" | stats latest(_time) as Time latest(user) as user by title ] | eval Now=now() | eval "Days Since Last Viewed"=if(isnull(Time),"Never accessed",round((Now-Time)/86400)) | sort Time | convert ctime(Time) | fields - Now
0 comments
index = _internal sourcetype=scheduler status=skipped | stats count by app search_type reason savedsearch_name host | sort - count | rename count as Count, app as App, search_type as "Search Type", reason as Reason, savedsearch_name as "Search Name", host as Host
0 comments
index=_audit info=succeeded | timechart span=1d dc(user) as "Unique Users" count(user) as "Total Logins"
0 comments
| tstats values(host) as host where index=* by index
0 comments
|tstats latest(_time) as latest_time by index, sourcetype, host | eval now_time=now() | eval time_since_last=now()-latest_time | where time_since_last>=3600 | foreach *_time [ | eval <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | rename latest_time as "Time of Last Event", now_time as "Present Time", time_since_last as "Seconds Since Last Event"
0 comments
index=_audit action=search sourcetype=audittrail search_id=* search!="'typeahead*" NOT (user=splunk-system-user) | rex field=_raw "search\=(?P<search>.*)\]\[n\/a\]$" | rex field=search "sourcetype\s*=\s*\"*(?<thisSourcetype>[^\s\"]+)" | rex field=search "index\s*=\s*\"*(?<thisIndex>[^\s\"]+)" | stats latest(_time) as Latest by user search thisSourcetype thisIndex | sort - Latest | eval Latest=strftime(Latest,"%b %d, %Y %H:%M:%S") | rename thisSourcetype as Sourcetype, thisIndex as Index
0 comments