9/10/2023 0 Comments Splunk table dedup| rest/servicesNS/-/-/saved/searches splunk_server="local" Using the below query you can find the list of saved searches by users excluding admin. | eval Object="Views"] | stats values(*) as * by User [| rest /servicesNS/-/-/data/ui/views splunk_server="local" [| rest /servicesNS/-/-/data/props/lookups/ splunk_server="local" [| rest/servicesNS/-/-/data/ui/panels splunk_server="local" | rename eai:userName as User | table User [| rest /servicesNS/-/-/saved/eventtypes splunk_server="clocal" [| rest/servicesNS/-/-/configs/conf-macros splunk_server="local" [ search index=_internal sourcetype=scheduler alert_actions!="" | rest/servicesNS/-/-/data/props/extractions Using the below query you can find the Knowledge Objects Created by Users. | stats values(IndexName) as "IndexName" by user | eval IndexName=coalesce(indexname,indexname1) index="_audit" action=search search="*index*" user=* NOT user=splunk-system-user Using the below query you can find the User Name and the Index they Queried. | rename user as UserName,search as Search | eval Total_Run_Time(Min)=(total_run_time/60) index="_audit" action="search" search=* NOT user="splunk-system-user" exec_time=* If the runtime is more than 5 minutes then it’s impacting the service. Using the below query you can find the long-running search or service impacting search run by User in Splunk. Long-Running Search OR Service Impacting search Run by User: | stats list(NAME) as NAME,list(method) as MethodName,list(status) as Status_Code,list(STATUS) as STATUS by userĦ. | eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" index=_internal sourcetype="splunkd_ui_access" uri_path="*/data/ui/views/*" OR uri_path="*saved/searches/*" Using the below query you can find which type of knowledge object is created by the User in Splunk. ![]() | table UserName,SearchQuery,ResultFormat | rename user as UserName,search as SearchQuery,output_mode as ResultFormat Using the below query you can find the list of users who exported result from Splunk. List of Users who Exported the result from Splunk : | table UserName,SplunkServer,TimeOfAccessĤ. | rename "splunk_server" as "SplunkServer","timeAccessed" as "TimeOfAccess","userName" as "UserName" | rest /services/authentication/httpauth-tokens splunk_server=local Using the below query you can find the Active Logged in Details in Splunk. List of Active Users Logged in with Details : [ search index=_internal source="*web_access.log*" user!="-"ģ. Using the below query you can find the Last 24 hours logins in Splunk. Total Number of Logged in users in the last 24 hours : | stats count as "Active User currently logged in"Ģ. | search NOT userName="splunk-system-user" | rest /services/authentication/httpauth-tokens Using the below query you can find the currently logged-in Users in Splunk. Total Number of Currently logged in Users: Today, we will let you know how to Create Splunk User Analysis and Monitoring Dashboard, For this to achieve we need to create the below panels in our dashboard :ġ) Total Number of Currently logged in UsersĢ) Total Number of Logged in users in the last 24 hoursģ) List of Active Users Logged in with DetailsĤ) List of Users who Exported the result from SplunkĦ) Long Running Search OR Service Impacting Search Run by Userġ0) List of Unique email addresses configured in the Saved Searchġ.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |