Re: What does the status of "info=granted" mean in...

rahulrawlani · ‎09-29-2016

I am trying to find out all the searches made by users in Splunk. I am running the below search

index=_audit action=search user!="splunk-system-user" search_id=* | table search_id savedsearch_name search user info total_run_time is_realtime

I see 4 status options for the info field...1. completed. 2. cancelled. 3. granted 4. failed.

I see that many of the searches (regardless whether they are savedsearches or ad-hoc) are assigned info as "granted". I do not get any idea what granted means...Can anyone please help me here...

net1993 · ‎11-30-2018

@yannK
Where can be found some docs about all possible values of that field with the meaning of the values?

amartin6 · ‎04-29-2020

We were seeing more "completed" searches than "granted" searches, we had to exclude subsearches:
index=_audit action=search search=* search_id!="'subsearch*" info=granted

yannK · ‎09-29-2016

"granted" means that the scheduler or the user was allowed to run the search.
The search will run when possible.
Then once the job is done, you will see the field value "completed".

This is because a job can be delayed or queued (depending of the prioritization, or execution windows or concurrent search limits).

What does the status of "info=granted" mean in my search?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?