Monitoring Splunk

Search.log records related to past search

lukasmecir
Path Finder

Hi,

I have question about search.log. I know I can find log records related to particular search in search.log using Job inspector (clicking on link to search.log in bottom of Job inspector). But my question is: is there any way how to get records related to particular search in past? Example: I made some search yesterday and today I would like to get all log records related to this search from search.log file. Is there any way how to do it? Thanks in advance for any info or hint.

Best regards

Lukas

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

By default, ad-hoc search results expire after 10 minutes so there's no way to get the log for yesterday's searches, unless you used the Share button to extend the expiration time of the search.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

lukasmecir
Path Finder

Thanks for info, honestly I was afraid about it, but it is good to get confirmation from someone well experienced. Just for clarification - it means, that all records related to particular search are deleted from search.log file 10 minutes after search was performed (with default setting)?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...