Splunk Search

How to get the actual Query from SID?

sudheerchamarth
Explorer

Hello Community,

I have the sid from splunkd.log. Now I would like to know if there is any way to get the actual query that was executed from this sid?

I tried below but it is not working

index=_audit search_id=1476267099.133508 info=granted search=*

0 Karma

martynoconnor
Communicator

This search might work for you:

index=_audit action=search info=granted search_id=*
| append [search index=_internal sourcetype=splunkd action=search info=granted search=*]
| fields search_id search
| table search_id search
0 Karma

dmarling
Builder

The sid you have is from 2016 as the search_id has a epoch timestamp embedded in it on when the search was executed. 1476267099 = Wed, 12 Oct 2016 10:11:39 GMT. If you have audit logs from that long ago you would need to set you earliest/latest to go that far back in time. If you set your earliest as 1476230400 and your latest as 1476316800 in your search you should get results. If you don't have audit logs that long ago, then you will be unable to recover that search.

index=_audit search_id="*1476267099.133508*" info=granted search=* earliest=1476230400  latest=1476316800 

I put wildcards around the search_id as I've found that they typically have single quotes around them but I wanted to make it generic enough that it should just work when you run it.

If this comment/answer was helpful, please up vote it. Thank you.

sudheerchamarth
Explorer

@dmarling I tried with a SId that has today's epoch time, below is my query and I did not get any results. Was Suspecting need to do some system level settings

index=_audit sourcetype=audittrail
search_id="1559561790" info=granted
search=

0 Karma

dmarling
Builder

You need to put astericks around the search_id or single quotes e.g.

index=_audit sourcetype=audittrail
search_id="*1559561790*" info=granted

OR

index=_audit sourcetype=audittrail
search_id="'1559561790*" info=granted
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

jwalthour
Communicator

You need to put single ticks (') around "search_id", as in:

index=_audit sourcetype=audittrail search_id='1476267099.133508'

0 Karma

niketn
Legend

@sudheerchamarthi based on how long the job takes to expire you can use the following REST API to pull details of the search executed. Refer to REST API Documentation: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs

| rest /services/search/jobs/1476267099.133508
| fields sid eai:acl.app eai:acl.owner title label dispatchStatesearch searchEarliestTime searchLatestTime eventCount scanCount resultCount runDuration *
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...