Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index=_audit contents?

saranya_fmr
Communicator
‎03-07-2017 02:06 AM

Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.

  • apiStartTime apiEndTime
  • total_run_time
  • exec_time
  • api_et , api_It
  • search_lt , search_et
  • scan_count
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-07-2017 05:31 AM

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-07-2017 05:31 AM

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

0 Karma
Reply
Solved! Jump to solution

saranya_fmr
Communicator
‎03-07-2017 10:31 PM

Thankyou @sloshburch , but a small query ,

a) Whats the difference amongst these -

  1. api_et , api_It
  2. apiStartTime apiEndTime
  3. search_lt , search_et

b) What does apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME' mean?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎03-09-2017 11:48 AM

Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.

I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...