i have extracted this log as i need to get the search id to get the SPL used. this is a search that triggers an alert.
Audit:[timestamp=05-30-2018 01:26:40.497, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rt_scheduler_asjkhasjfgalsjgasljf_search_asjkhasjfgalsjgasljf_at_1527059197_2.17][n/a]
Audit:[timestamp=05-30-2018 01:26:40.726, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rt_scheduler_asjkhasjfgalsjgasljf_search_asjkhasjfgalsjgasljf_at_1527059197_2.18][n/a]
question: which part of the log is the search id or sid?
like if i use this code what will be the search id to be used from the audit event above?
"index=_audit search_id='<your sid>' info=granted | table search,savedsearch_name"
thanks!
@teddyidc1101, sid
s would be rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.17
and rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.18
However, if you want to pull details about the search id you should try either loadjob command or REST endpoint /services/search/jobs
| loadjob "rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.18"
Or
| rest /services/search/jobs/rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.18
i tried both commands
|loadjob
Error in 'SearchOperator:loadjob': Cannot find job_id '“rt_scheduler_asjkhasjfgalsjgasljf_search_asjkhasjfgalsjgasljf_at_1527059197_2.18”'.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
|rest /services/search/jobs/
Error in 'rest' command: Invalid argument: ‘rt_scheduler_asjkhasjfgalsjgasljf_search_asjkhasjfgalsjgasljf_at_1527059197_2.18'
The search job has failed due to an error. You may be able view the job in the Job Inspector.
@teddyidc1101 the job that you are trying to find has already expired!
@teddyidc1101, if the answer/clarification satisfies your query please accept the answer 🙂