Solved: What is the meaning of the Splunk Audit.log fields...

arpit_arora · ‎02-02-2018

Hello, I am interested in finding the meaning of the following fields?

(1) event_count
(2) result_count
(3) available_count
(4) scan_count
(5) drop_count

Example is below.

Audit:[timestamp=02-03-2018 00:00:35.896, user=zops, action=search, info=canceled, search_id='1517615960.185830_86974EF3-D4A7-4683-B69E-19206AFBB708', total_run_time=0.40, event_count=0, result_count=0, available_count=0, scan_count=157, drop_count=0, exec_time=1517615960, api_et=1517615060.000000000, api_lt=1517615960.000000000, search_et=1517615700.000000000, search_lt=1517615880.000000000, is_realtime=0, savedsearch_name="", search_startup_time="305", searched_buckets=236, eliminated_buckets=115, considered_events=157, total_slices=3905957, decompressed_slices=101][n/a]

acharlieh · ‎02-02-2018

I believe these are some of the fields that are also available as properties through the Job Inspector. Docs: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/ViewsearchjobpropertieswiththeJobInspector

For the terms you asked about in particular:

scan_count: scanCount - The number of events that are scanned or read off disk
event_count: eventCount - The number of events returned by the search.
result_count: resultCount - The total number of results returned by the search.
available_count: eventAvailableCount - The number of events that are available for export.
drop_count: dropCount - In real-time searches only, the number of possible events dropped due to queue size.

In other words, if I run a search, the number of events read off of disk for my search is scan_count, but the number of events that qualify for my search is event_count.

result_count could be the same as event_count if I was just retrieving events, but if I did some form of statistics, in my search that could be different. ( For example if my search ended with | stats count, result_count would be 1). available_count would be more than zero if I was able to export any events (i.e. if I had events, and I was doing a non-transforming search, or I was running in verbose mode ).

View solution in original post

acharlieh · ‎02-02-2018

I believe these are some of the fields that are also available as properties through the Job Inspector. Docs: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/ViewsearchjobpropertieswiththeJobInspector

For the terms you asked about in particular:

scan_count: scanCount - The number of events that are scanned or read off disk
event_count: eventCount - The number of events returned by the search.
result_count: resultCount - The total number of results returned by the search.
available_count: eventAvailableCount - The number of events that are available for export.
drop_count: dropCount - In real-time searches only, the number of possible events dropped due to queue size.

In other words, if I run a search, the number of events read off of disk for my search is scan_count, but the number of events that qualify for my search is event_count.

result_count could be the same as event_count if I was just retrieving events, but if I did some form of statistics, in my search that could be different. ( For example if my search ended with | stats count, result_count would be 1). available_count would be more than zero if I was able to export any events (i.e. if I had events, and I was doing a non-transforming search, or I was running in verbose mode ).

What is the meaning of the Splunk Audit.log fields?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...