Getting Data In

How to get Information with fields of index: _audit?

Taruchit
Contributor

Hi All,

I am searching for data in index for searches which users executed with time range "All Time".

 

index=_audit search_et="N/A" search_lt="N/A" user!="splunk-system-user"

 

I got events with following fields: -

  • info
  • has_error_warn
  • fully_completed_search
  • total_run_time
  • event_count
  • result_count
  • avaialble_count
  • scan_count
  • drop_count
  • exec_count
  • api_et
  • api_lt
  • api_index_et
  • api_index_lt
  • is_realtime
  • search_statup_time
  • is_prjob
  • searched_buckets
  • eliminated_buckets
  • considered_events
  • total_slices
  • decompressed_slices
  • duration.command.search_index

And many others.

I need your help and guidance on seeking details about the fields fetched by the _audit index.

Thank you

Labels (3)

Taruchit
Contributor

Based on the findings so far, I could understand following details on the fields listed in the thread description: -

  • info: - Information about the search executed by the user.
  • has_error_warn: - False: if no error was observed in the user's search. True: of error was observed in the user's search.
  • fully_completed_search: - Returns true even when the user had stopped the search mid-way.
  • total_run_time: - Total time it took for the user's search to complete.
  • event_count: - Total number of events fetched by the user's search.
  • result_count: - Total number of results returned by the user's search.
  • available_count: - Total number of events available for export.
  • scan_count: - Total number of events fetched by the user's search.
  • drop_count: - It is returned for realtime searches only, the number of possible events that are dropped due to rt_queue_size.
  • exec_time: - Epoch value of the timestamp at which user's search got completed or at which the user's search was stopped.
  • api_et: - The epoch value of the time at which the search started.
  • api_lt: - The epoch value of the time at which the search ended.
  • is_realtime: - 0: If the search was not realtime. 1: If the search was realtime.
  • savedsearch_name: - Saved search title that got executed.
  • search _startup_time: - This field represents the time for a search to start up in seconds.
  • is_prjob: - This field indicates whether the search is a pre-run search or not.
  • app: - Splunk app used by user's search.
  • searched_buckets: - The number of index buckets that were searched to fetch the relevant data.
  • eliminated_buckets: - The number of index buckets that were eliminated during the search process.
  • considered_events: - Total number of events considered during the search process.

In case any one can share their inputs to better understand the above points or share the information about fields which I could not document, it would be very helpful.

Thank you

Taruchit
Contributor

Hi @somesoni2,

I found you had answered a similar question in 2013: https://community.splunk.com/t5/Splunk-Search/Identify-users-and-searches-searching-over-all-time/td...

Thus, it would be very helpful if you could share your inputs on understanding the fields returned by events of the index: _audit.

Thank you

0 Karma

Taruchit
Contributor

Hi @Azeemering,

I read your response on thread: https://community.splunk.com/t5/Monitoring-Splunk/audit-command-in-splunk/m-p/225849 about the usage of index: _audit.

It would be very helpful if you could help by sharing your inputs on the fields returned by the index.

Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...