@sudheerchamarthi based on how long the job takes to expire you can use the following REST API to pull details of the search executed. Refer to REST API Documentation: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs
| rest /services/search/jobs/1476267099.133508 | fields sid eai:acl.app eai:acl.owner title label dispatchStatesearch searchEarliestTime searchLatestTime eventCount scanCount resultCount runDuration *
The sid you have is from 2016 as the search_id has a epoch timestamp embedded in it on when the search was executed. 1476267099 = Wed, 12 Oct 2016 10:11:39 GMT. If you have audit logs from that long ago you would need to set you earliest/latest to go that far back in time. If you set your earliest as 1476230400 and your latest as 1476316800 in your search you should get results. If you don't have audit logs that long ago, then you will be unable to recover that search.
index=_audit search_id="*1476267099.133508*" info=granted search=* earliest=1476230400 latest=1476316800
I put wildcards around the search_id as I've found that they typically have single quotes around them but I wanted to make it generic enough that it should just work when you run it.
@dmarling I tried with a SId that has today's epoch time, below is my query and I did not get any results. Was Suspecting need to do some system level settings
You need to put astericks around the search_id or single quotes e.g.
index=_audit sourcetype=audittrail search_id="*1559561790*" info=granted
index=_audit sourcetype=audittrail search_id="'1559561790*" info=granted
This search might work for you:
index=_audit action=search info=granted search_id=* | append [search index=_internal sourcetype=splunkd action=search info=granted search=*] | fields search_id search | table search_id search