Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What's the relationship between api_lt/api_et and search_lt/search_et in _audit?

danielbb
Motivator
‎06-27-2025 08:57 AM

Are these fields mutually exclusive? I'm not sure about the relation between these four fields.

Labels (3)
Labels
Tags (1)
0 Karma
Reply

PrewinThomas
Motivator
‎06-29-2025 09:46 PM

@danielbb 

I dont think there is any public document available from Splunk for this field-to-field explanations.
They doesn't seem mutually exclusive, as it can be same or differ depends on the search.

Also you can refer - #https://community.splunk.com/t5/Splunk-Search/index-audit-contents/m-p/338588

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-27-2025 09:26 AM

Hi @danielbb 

My understanding on this (and I'd also be pleased if someone can confirm!) is that api_lt and api_et represent the time parameters provided by the user in the time picker or API when running a search, but search_lt and search_et represent the actual earliest and latest time used by Splunk during the search execution.

If the user specifies an earliest/latest in the search for example, this would override the time picker values (api_et/api_lt). If not earliest/latest in the search then search_et/lt become api_lt.

I dont recall seeing docs around this though so if someone can find any please let me know 🙂

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

tscroggins
Influencer
‎06-29-2025 06:07 PM

Hi @livehybrid,

api_lt and api_et should correspond to the UI time range or the earliest_time and latest_time search API paramters as you noted, although I don't know if this is publicly documented.

Similarly, api_index_et and api_index_lt should correspond to the index_earliest and index_latest search API parameters.

search_lt and search_et should correspond to the computed epoch second values from the earliest, latest, and other time modifiers if they're provided as part of the base search:

index=main foo earliest=-24h@h latest=now

index=main foo starttime=06/29/2025:20:50:00

The audit log doesn't appear to capture the values passed to _index_earliest and _index_latest or translate them to api_index_et and api_index_lt, unfortunately, but they should be present in the search text.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...