Splunk Search
Highlighted

index=_audit contents?

Communicator

Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.

  • apiStartTime apiEndTime
  • totalruntime
  • exec_time
  • apiet , apiIt
  • searchlt , searchet
  • scan_count
Tags (3)
0 Karma
Highlighted

Re: index=_audit contents?

Ultra Champion

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

View solution in original post

0 Karma
Highlighted

Re: index=_audit contents?

Communicator

Thankyou @SloshBurch , but a small query ,

a) Whats the difference amongst these -

  1. apiet , apiIt
  2. apiStartTime apiEndTime
  3. searchlt , searchet

b) What does apiStartTime='ZEROTIME', apiEndTime='ZEROTIME' mean?

0 Karma
Highlighted

Re: index=_audit contents?

Ultra Champion

Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.

I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.

0 Karma