Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index=_audit contents?

saranya_fmr
Communicator
‎03-07-2017 02:06 AM

Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.

  • apiStartTime apiEndTime
  • total_run_time
  • exec_time
  • api_et , api_It
  • search_lt , search_et
  • scan_count
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-07-2017 05:31 AM

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-07-2017 05:31 AM

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

0 Karma
Reply
Solved! Jump to solution

saranya_fmr
Communicator
‎03-07-2017 10:31 PM

Thankyou @sloshburch , but a small query ,

a) Whats the difference amongst these -

  1. api_et , api_It
  2. apiStartTime apiEndTime
  3. search_lt , search_et

b) What does apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME' mean?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎03-09-2017 11:48 AM

Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.

I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...