Archive
Highlighted

Search ID or sid

Communicator

i have extracted this log as i need to get the search id to get the SPL used. this is a search that triggers an alert.

Audit:[timestamp=05-30-2018 01:26:40.497, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rtschedulerasjkhasjfgalsjgasljfsearchasjkhasjfgalsjgasljfat1527059197_2.17][n/a]
Audit:[timestamp=05-30-2018 01:26:40.726, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rtschedulerasjkhasjfgalsjgasljfsearchasjkhasjfgalsjgasljfat1527059197_2.18][n/a]

question: which part of the log is the search id or sid?
like if i use this code what will be the search id to be used from the audit event above?

 "index=_audit search_id='<your sid>'  info=granted | table search,savedsearch_name"

thanks!

0 Karma
Highlighted

Re: Search ID or sid

Legend

@teddyidc1101, sids would be rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.17 and rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.18

However, if you want to pull details about the search id you should try either loadjob command or REST endpoint /services/search/jobs

|  loadjob "rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.18"

Or

|  rest /services/search/jobs/rt_scheduler_asjkhasjfgalsjgasljf__search__asjkhasjfgalsjgasljf_at_1527059197_2.18



| eval message="Happy Splunking!!!"


Highlighted

Re: Search ID or sid

Communicator

i tried both commands

|loadjob
Error in 'SearchOperator:loadjob': Cannot find jobid '“rtschedulerasjkhasjfgalsjgasljfsearchasjkhasjfgalsjgasljfat15270591972.18”'.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

|rest /services/search/jobs/
Error in 'rest' command: Invalid argument: ‘rtschedulerasjkhasjfgalsjgasljfsearchasjkhasjfgalsjgasljfat1527059197_2.18'
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma
Highlighted

Re: Search ID or sid

Legend

@teddyidc1101 the job that you are trying to find has already expired!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Search ID or sid

Legend

@teddyidc1101, if the answer/clarification satisfies your query please accept the answer 🙂




| eval message="Happy Splunking!!!"


0 Karma