Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.
My understanding is that the
search_* fields are the time frames of the search (hence
ZERO_TIME when not applicable).
total_run_time is how long the search took,
exec_time is when it was kicked off.
scan_count is how many events were looked at to product the final
To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.
Thankyou @SloshBurch , but a small query ,
a) Whats the difference amongst these -
b) What does apiStartTime='ZEROTIME', apiEndTime='ZEROTIME' mean?
Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.
I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.