Archive

Find search by the search id

Splunk Employee
Splunk Employee

I'd like to find the search query by search id. When searching the audit.log I can find the search id, but unable to locate the actual search. How can I access/view this?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Look for the search field returned by a search like this:

index=_audit action=search info=granted search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5eddd0618b168fff8_at_1457648640_1115'

View solution in original post

SplunkTrust
SplunkTrust

Look for the search field returned by a search like this:

index=_audit action=search info=granted search_id='scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5eddd0618b168fff8_at_1457648640_1115'

View solution in original post

Splunk Employee
Splunk Employee

Gotcha...I missed the search field. Thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!