Solved: Re: What is the meaning of the Splunk Audit.log fi...

arpit_arora · ‎02-02-2018

Hello, I am interested in finding the meaning of the following fields?

(1) event_count
(2) result_count
(3) available_count
(4) scan_count
(5) drop_count

Example is below.

Audit:[timestamp=02-03-2018 00:00:35.896, user=zops, action=search, info=canceled, search_id='1517615960.185830_86974EF3-D4A7-4683-B69E-19206AFBB708', total_run_time=0.40, event_count=0, result_count=0, available_count=0, scan_count=157, drop_count=0, exec_time=1517615960, api_et=1517615060.000000000, api_lt=1517615960.000000000, search_et=1517615700.000000000, search_lt=1517615880.000000000, is_realtime=0, savedsearch_name="", search_startup_time="305", searched_buckets=236, eliminated_buckets=115, considered_events=157, total_slices=3905957, decompressed_slices=101][n/a]

acharlieh · ‎02-02-2018

I believe these are some of the fields that are also available as properties through the Job Inspector. Docs: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/ViewsearchjobpropertieswiththeJobInspector

For the terms you asked about in particular:

scan_count: scanCount - The number of events that are scanned or read off disk
event_count: eventCount - The number of events returned by the search.
result_count: resultCount - The total number of results returned by the search.
available_count: eventAvailableCount - The number of events that are available for export.
drop_count: dropCount - In real-time searches only, the number of possible events dropped due to queue size.

In other words, if I run a search, the number of events read off of disk for my search is scan_count, but the number of events that qualify for my search is event_count.

result_count could be the same as event_count if I was just retrieving events, but if I did some form of statistics, in my search that could be different. ( For example if my search ended with | stats count, result_count would be 1). available_count would be more than zero if I was able to export any events (i.e. if I had events, and I was doing a non-transforming search, or I was running in verbose mode ).

View solution in original post

acharlieh · ‎02-02-2018

I believe these are some of the fields that are also available as properties through the Job Inspector. Docs: http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/ViewsearchjobpropertieswiththeJobInspector

For the terms you asked about in particular:

scan_count: scanCount - The number of events that are scanned or read off disk
event_count: eventCount - The number of events returned by the search.
result_count: resultCount - The total number of results returned by the search.
available_count: eventAvailableCount - The number of events that are available for export.
drop_count: dropCount - In real-time searches only, the number of possible events dropped due to queue size.

In other words, if I run a search, the number of events read off of disk for my search is scan_count, but the number of events that qualify for my search is event_count.

result_count could be the same as event_count if I was just retrieving events, but if I did some form of statistics, in my search that could be different. ( For example if my search ended with | stats count, result_count would be 1). available_count would be more than zero if I was able to export any events (i.e. if I had events, and I was doing a non-transforming search, or I was running in verbose mode ).

What is the meaning of the Splunk Audit.log fields?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms