Splunk Search

What is the meaning of the Splunk Audit.log fields?

arpit_arora
Explorer

Hello, I am interested in finding the meaning of the following fields?

(1) event_count
(2) result_count
(3) available_count
(4) scan_count
(5) drop_count

Example is below.

Audit:[timestamp=02-03-2018 00:00:35.896, user=zops, action=search, info=canceled, search_id='1517615960.185830_86974EF3-D4A7-4683-B69E-19206AFBB708', total_run_time=0.40, event_count=0, result_count=0, available_count=0, scan_count=157, drop_count=0, exec_time=1517615960, api_et=1517615060.000000000, api_lt=1517615960.000000000, search_et=1517615700.000000000, search_lt=1517615880.000000000, is_realtime=0, savedsearch_name="", search_startup_time="305", searched_buckets=236, eliminated_buckets=115, considered_events=157, total_slices=3905957, decompressed_slices=101][n/a]
0 Karma
1 Solution

acharlieh
Influencer

I believe these are some of the fields that are also available as properties through the Job Inspector. Docs: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/ViewsearchjobpropertieswiththeJobInspector

For the terms you asked about in particular:

scan_count
scanCount - The number of events that are scanned or read off disk
event_count
eventCount - The number of events returned by the search.
result_count
resultCount - The total number of results returned by the search.
available_count
eventAvailableCount - The number of events that are available for export.
drop_count
dropCount - In real-time searches only, the number of possible events dropped due to queue size.

In other words, if I run a search, the number of events read off of disk for my search is scan_count, but the number of events that qualify for my search is event_count.

result_count could be the same as event_count if I was just retrieving events, but if I did some form of statistics, in my search that could be different. ( For example if my search ended with | stats count, result_count would be 1). available_count would be more than zero if I was able to export any events (i.e. if I had events, and I was doing a non-transforming search, or I was running in verbose mode ).

View solution in original post

acharlieh
Influencer

I believe these are some of the fields that are also available as properties through the Job Inspector. Docs: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/ViewsearchjobpropertieswiththeJobInspector

For the terms you asked about in particular:

scan_count
scanCount - The number of events that are scanned or read off disk
event_count
eventCount - The number of events returned by the search.
result_count
resultCount - The total number of results returned by the search.
available_count
eventAvailableCount - The number of events that are available for export.
drop_count
dropCount - In real-time searches only, the number of possible events dropped due to queue size.

In other words, if I run a search, the number of events read off of disk for my search is scan_count, but the number of events that qualify for my search is event_count.

result_count could be the same as event_count if I was just retrieving events, but if I did some form of statistics, in my search that could be different. ( For example if my search ended with | stats count, result_count would be 1). available_count would be more than zero if I was able to export any events (i.e. if I had events, and I was doing a non-transforming search, or I was running in verbose mode ).

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...