Hello Community,
I have the sid from splunkd.log. Now I would like to know if there is any way to get the actual query that was executed from this sid?
I tried below but it is not working
index=_audit search_id=1476267099.133508 info=granted search=*
This search might work for you:
index=_audit action=search info=granted search_id=*
| append [search index=_internal sourcetype=splunkd action=search info=granted search=*]
| fields search_id search
| table search_id search
The sid you have is from 2016 as the search_id has a epoch timestamp embedded in it on when the search was executed. 1476267099 = Wed, 12 Oct 2016 10:11:39 GMT. If you have audit logs from that long ago you would need to set you earliest/latest to go that far back in time. If you set your earliest as 1476230400 and your latest as 1476316800 in your search you should get results. If you don't have audit logs that long ago, then you will be unable to recover that search.
index=_audit search_id="*1476267099.133508*" info=granted search=* earliest=1476230400 latest=1476316800
I put wildcards around the search_id as I've found that they typically have single quotes around them but I wanted to make it generic enough that it should just work when you run it.
@dmarling I tried with a SId that has today's epoch time, below is my query and I did not get any results. Was Suspecting need to do some system level settings
index=_audit sourcetype=audittrail
search_id="1559561790" info=granted
search=
You need to put astericks around the search_id or single quotes e.g.
index=_audit sourcetype=audittrail
search_id="*1559561790*" info=granted
OR
index=_audit sourcetype=audittrail
search_id="'1559561790*" info=granted
You need to put single ticks (') around "search_id", as in:
index=_audit sourcetype=audittrail search_id='1476267099.133508'
@sudheerchamarthi based on how long the job takes to expire you can use the following REST API to pull details of the search executed. Refer to REST API Documentation: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs
| rest /services/search/jobs/1476267099.133508
| fields sid eai:acl.app eai:acl.owner title label dispatchStatesearch searchEarliestTime searchLatestTime eventCount scanCount resultCount runDuration *