i have extracted this log as i need to get the search id to get the SPL used. this is a search that triggers an alert.
Audit:[timestamp=05-30-2018 01:26:40.497, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rt_scheduler_asjkhasjfgalsjgasljf_search_asjkhasjfgalsjgasljf_at_1527059197_2.17][n/a]
Audit:[timestamp=05-30-2018 01:26:40.726, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rt_scheduler_asjkhasjfgalsjgasljf_search_asjkhasjfgalsjgasljf_at_1527059197_2.18][n/a]
question: which part of the log is the search id or sid?
like if i use this code what will be the search id to be used from the audit event above?
"index=_audit search_id='<your sid>' info=granted | table search,savedsearch_name"
thanks!
... View more