From Splunk, I am trying to get the user, saved search name and last time a query ran ?
A single Splunk query will be nice.
I am very new to Splunk and I have tried these queries :-
index=_audit action=search info=granted search=*
| search IsNotNull(savedsearch_name) user!="splunk-system-user"
| table user savedserach_name user search _time
The above query , is always empty for savesearch_name.
Splunk's audit log leaves a bit to be desired. For better results, search the internal index.
index=_internal savedsearch_name=* NOT user="splunk-system-user"
| table user savedsearch_name _time
You won't see the search query, however. For that, use REST.
| rest /services/saved/searches | fields title search
Combine them something like this (there may be other ways)
index=_internal savedsearch_name=* NOT user="splunk-system-user"
| fields user savedsearch_name _time
| join savedsearch_name [| rest /services/saved/searches
| fields title search | rename title as savedsearch_name]
| table user savedsearch_name search _time
Note that you have a typo in your query. "savedserach_name" should be "savedsearch_name".
But I also recommend a free app that has a dedicated search tool for this purpose.
https://splunkbase.splunk.com/app/6449/
Specifically the "user activity" view within that app.
Why it's a complex problem - part of the puzzle is in the audit log's info="granted" event, another part is in the audit log's info="completed" event, even more of it is over in the introspection index. You need those three stitched together, and the auditlog is plagued with parsing problems and autokv compounds the problem by extracting all of fields from the SPL itself.
That User Activity view will do all of this for you, sidestep pretty thorny autokv problems in the audit data, and not just give you all of this per search, but also present stats and rollups by user, app, dashboard, even by sourcetypes-that-were-actually-searched
it also has a macro called "calculate pain" that will score a "pain" number for each search, and then sum up all the "pain" in the by-user, by-app, by-sourcetype rollups etc. So that admins can try and pick off the worst offenders first.
it's up on SB here and approved for both Cloud and onprem - https://splunkbase.splunk.com/app/6449/
(and there's a #sideview_ui channel for it in the community slack.)
Related
I have 5 different searches I am doing in Splunk where I am getting the count of how many results from that search query.
I've had a look at this thread here:
https://answers.splunk.com/answers/757081/pie-chart-with-count-from-different-search-criteri.html
but its not quite working for me, I'm not 100% sure if its what I want.
My search queries all look something like this:
index=A variable="foo" message="Created*" | stats count
index=A variable="foo" message="Deleted*" | stats count
I ideally want to assign each query to a keyword - such as created, deleted, etc, then do a pie chart based on the counts.
The following should be sufficient.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | stats count by message
If you can provide some more examples of the events you are trying to chart, there may be alternate approaches that can work for you.
This version will extract the key part of the message (Created, Deleted. etc...) into a field called mtype and you can then perform stats on that field.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | rex field=message "(?<mtype>Created|Deleteted|...)" | stats count by mtype
My log files log a bunch of messages in the same instance, so simply search for a message id followed by a count will not work (I will only count 1 per event when I want to count as many as 50 per event). I want to first narrow down my search to the events which show messages being sent ("enqueued"), and then count all instances of the string "mid".
Any ideas? I am very bad with splunk. How to I get all instances of "mid" to be a countable field?
index=* service=myservice "enqueued" "mid" | stats count mid
Your current search doesn't work because you (probably) don't have a field called 'mid'.
To search for strings within the event you can use rex. Try this.
index=* service=myservice "enqueued" "mid"
| rex max_match=0 "(?<mids>mid)"
| eval midCount=mvcount(mids)
| table midCount
BTW, "index=*" is a bad practice. It forces Splunk to search in every index, which really slows things down. After your first search you should know and use the real index name.
I need to locate data that has become stale in our Splunk instance - so that I can remove it
I need a way to find all the dashboards, and sort them by usage. From the audit logs I've been able to find all the actively used logs, but as my goal is to remove data, I most need the dashboards not in use
any ideas?
You can get a list of all dashboards using | rest /services/data/ui/views | search isDashboard=1. Try combining that with your search for active dashboards to get those that are not active.
| rest /services/data/ui/views | search isDashboard=1 NOT [<your audit search> | fields id | format]
So I was just wondering if it was possible to create a simple xml or html code that has dashboard that searches for all other recently modified or updated searches of dashboards in splunk?
And if so when I search up these updated databases I would like to know the indexes and dataset that these dashboards have.
Requested Table format
Dashboard Name, Index, Timestamp (Shows when the dashboard was last updated)
Hopefully that makes sense..Please let me know if it's possible, or similar ways I can find this! Thanks
You could search
"_audit" index :
index=_audit | table _time user action info
index=_internal
The "_internal" index also has some sources on which to do username analytics ie:searches.log
first of all thanks for your time. Now on to the question!,
I am creating a subscription based service for some users. Basically, some users are creating articles(blurbs of information) in one part of their company. Users want to be able to subscribe to words or phrases being used in those articles and get an email if their "subscription phrase is matched". Currently i have a sql server database of all subscriptions made by users. I was thinking of making a stored procedure that takes the "article" text and does a FTS on it. I have a small familiarity with FTS but have no idea how to implement.
In diagrams:
Subscriptions: |Name |Phrase |
|'Josh' |'Test Text' |
|'Jessica'|'Another purpose'|
Article coming in: "Test Text is very dangerous" should produce the result Josh
A different article "Test text is very dangerous unless used for another purpose" should produce the result
|Josh|
|Jessica|
you can do like this
select * from Subscriptions
where CHARINDEX(Phrase, 'Test Text is very dangerou') > 0