Can somebody from Splunk please explain the changes to GUI search logging

responsys_cm — Tue, 18 Jun 2013 21:16:46 GMT

Prior to the 5.x (and possibly earlier), Splunk logged user searches from the GUI in a human readable format. The event had the user name and something like search="search bla bla bla | stats count by bla...". It was easy to read and audit.

Now when I look in the _internal index for searches that I or other users have run, all the searches are URL encoded. They are way more difficult to read and audit.

Why would you guys elect to make those logging events less human readable and what is the best method to advocate for changing the logging format back to something I can read?

Thx.

Re: Can somebody from Splunk please explain the changes to GUI search logging

hexx — Wed, 26 Jun 2013 18:23:20 GMT

I'm pretty sure you are referencing $SPLUNK_HOME/var/log/splunk/searches.log, which was indeed retired in 5.0 because the same level of information (and then some) is available from audit.log and in the _audit index.

The good news is it's pretty easy to gain access to the same level of information by searching the _audit index:

index=_audit search=*

If you want to make it fancier and show more information such as the start and end time range of the search, you can use this search:

index=_audit search=*
| eval earliest_time=if(like(apiStartTime,"%ZERO_TIME%"),"epoch",apiStartTime)
| eval latest_time=if(like(apiEndTime,"%ZERO_TIME%"),"now",apiEndTime)
| table _time user earliest_time latest_time search search_id

topic Can somebody from Splunk please explain the changes to GUI search logging in Monitoring Splunk

Can somebody from Splunk please explain the changes to GUI search logging

Re: Can somebody from Splunk please explain the changes to GUI search logging