topic Re: What are the fields in _audit that specify the interval for each search? in Monitoring Splunk

What are the fields in _audit that specify the interval for each search?

danielbb — Thu, 26 Jun 2025 15:36:52 GMT

We would like to produce statistics about the usage of Splunk and we would like to categorize the searches by ranges, whether they cover the last day, past week or past month, and I wonder which fields in _audit provide the beginning and end interval of the search.

Re: What are the fields in _audit that specify the interval for each search?

richgalloway — Thu, 26 Jun 2025 15:49:42 GMT

Check out the search_et and search_lt fields.

Re: What are the fields in _audit that specify the interval for each search?

livehybrid — Thu, 26 Jun 2025 15:52:15 GMT

Hi @danielbb

You could start with something like this:

index=_audit action=search info=completed search_et!="N/A" | eval time_span=search_lt-search_et | eval time_span_group=case( time_span<3600, "<1hr", time_span>=3600 AND time_span<7200, "1-2hrs", time_span>=7200 AND time_span<43200, "<12hrs", time_span>=43200 AND time_span<86400, "<24hrs", time_span>=86400 AND time_span<259200, "<3days", time_span>=259200 AND time_span<604800, "<7days", time_span>=604800 AND time_span<2592000, "<30days", time_span>=2592000 AND time_span<7776000, "<90days", time_span>=7776000 AND time_span<31536000, "<1year", time_span>=31536000, "more" ) | stats count by time_span_group

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: What are the fields in _audit that specify the interval for each search?

danielbb — Thu, 26 Jun 2025 16:24:50 GMT

Amazing! thank you.