Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index=_audit contents?

saranya_fmr
Communicator
‎03-07-2017 02:06 AM

Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.

  • apiStartTime apiEndTime
  • total_run_time
  • exec_time
  • api_et , api_It
  • search_lt , search_et
  • scan_count
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-07-2017 05:31 AM

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-07-2017 05:31 AM

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

0 Karma
Reply
Solved! Jump to solution

saranya_fmr
Communicator
‎03-07-2017 10:31 PM

Thankyou @sloshburch , but a small query ,

a) Whats the difference amongst these -

  1. api_et , api_It
  2. apiStartTime apiEndTime
  3. search_lt , search_et

b) What does apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME' mean?

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎03-09-2017 11:48 AM

Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.

I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...