Splunk Search
Highlighted

How to get the actual Query from SID?

Hello Community,

I have the sid from splunkd.log. Now I would like to know if there is any way to get the actual query that was executed from this sid?

I tried below but it is not working

index=audit searchid=1476267099.133508 info=granted search=*

0 Karma
Highlighted

Re: How to get the actual Query from SID?

Legend

@sudheerchamarthi based on how long the job takes to expire you can use the following REST API to pull details of the search executed. Refer to REST API Documentation: https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#search.2Fjobs

| rest /services/search/jobs/1476267099.133508
| fields sid eai:acl.app eai:acl.owner title label dispatchStatesearch searchEarliestTime searchLatestTime eventCount scanCount resultCount runDuration *
0 Karma
Highlighted

Re: How to get the actual Query from SID?

Path Finder

You need to put single ticks (') around "search_id", as in:

index=audit sourcetype=audittrail searchid='1476267099.133508'

0 Karma
Highlighted

Re: How to get the actual Query from SID?

Builder

The sid you have is from 2016 as the search_id has a epoch timestamp embedded in it on when the search was executed. 1476267099 = Wed, 12 Oct 2016 10:11:39 GMT. If you have audit logs from that long ago you would need to set you earliest/latest to go that far back in time. If you set your earliest as 1476230400 and your latest as 1476316800 in your search you should get results. If you don't have audit logs that long ago, then you will be unable to recover that search.

index=_audit search_id="*1476267099.133508*" info=granted search=* earliest=1476230400  latest=1476316800 

I put wildcards around the search_id as I've found that they typically have single quotes around them but I wanted to make it generic enough that it should just work when you run it.

0 Karma
Highlighted

Re: How to get the actual Query from SID?

@dmarling I tried with a SId that has today's epoch time, below is my query and I did not get any results. Was Suspecting need to do some system level settings

index=audit sourcetype=audittrail
search
id="1559561790" info=granted
search=

0 Karma
Highlighted

Re: How to get the actual Query from SID?

Builder

You need to put astericks around the search_id or single quotes e.g.

index=_audit sourcetype=audittrail
search_id="*1559561790*" info=granted

OR

index=_audit sourcetype=audittrail
search_id="'1559561790*" info=granted
0 Karma
Highlighted

Re: How to get the actual Query from SID?

Communicator

This search might work for you:

index=_audit action=search info=granted search_id=*
| append [search index=_internal sourcetype=splunkd action=search info=granted search=*]
| fields search_id search
| table search_id search
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.