Splunk Search

index=_audit contents?

saranya_fmr
Communicator

Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.

  • apiStartTime apiEndTime
  • total_run_time
  • exec_time
  • api_et , api_It
  • search_lt , search_et
  • scan_count
Tags (3)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

View solution in original post

0 Karma

sloshburch
Splunk Employee
Splunk Employee

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

0 Karma

saranya_fmr
Communicator

Thankyou @sloshburch , but a small query ,

a) Whats the difference amongst these -

  1. api_et , api_It
  2. apiStartTime apiEndTime
  3. search_lt , search_et

b) What does apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME' mean?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.

I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...