#! /usr/bin/perl

###
### userinfo - makes the best attempt to get the last search queries
### a user makes inside splunk.
###
### by kirk waingrow
###

$LOGFILE="/opt/splunk/var/log/splunk/audit.log";
$DT=`date +%m-%d-%Y`; chomp($DT);

@users="";
@events="";
@userlist="";


#
# Get list of users
#
@userlist = readpipe '/opt/splunk/bin/splunk list user -auth "admin:admin"';
foreach $i (@userlist) 
{ 
 @bits = split(/\s+/, $i);
 if ( $bits[0] =~ "username:" ) { $u="$bits[1]"; }
 if ( $bits[0] =~ "full-name:" ) {push(@users, "$u	$bits[1] $bits[2]"); }
}


#
# Grep all the search events for today
#
open(IN, "cat ${LOGFILE}* |") || print "$LOGFILE not here";
while (<IN>)
{
  if ( /$DT/ && /user=/ && /action=search/ && ! /searchps/ && ! /search_admin_index/ && ! /cancelps/ && ! /sourcetype::splunk_web_access/  && ! /splunkadmin/ && ! /admin/ ) 
  { s/\-//; push(@events,"$_"); }
}
close(IN);

#
#  count the number of events for all the users.
#
@userlist="";
foreach $u (@users)
{
  ($user, $name)=split(/	/, $u); 
  $cnt=0;
  foreach $event (@events)
  {
    if ( $event =~ /user=$user/ ) 
    { 
	$cnt++; 
 	# print "$event\n"; 
 	($d1, $d2)=split(/ /, $event);	
 	($t1, $t2)=split(/\:/, $d2);	
    }
  }
  if ( "$user" && $cnt gt 0 )  { push(@userlist,"$cnt	$t1:$t2	$user	$name"); }
}

@users="";
@users = sort { $b <=> $a} @userlist;
#open(OUT, "> /home/splunk/status/usershittingsplunk.txt");
foreach (@users)
{ 
print "$_\n"; 
 #print OUT "$_\n"; 
}