Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.
My understanding is that the api*
and search_*
fields are the time frames of the search (hence ZERO_TIME
when not applicable). total_run_time
is how long the search took, exec_time
is when it was kicked off. scan_count
is how many events were looked at to product the final event_count
.
To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.
My understanding is that the api*
and search_*
fields are the time frames of the search (hence ZERO_TIME
when not applicable). total_run_time
is how long the search took, exec_time
is when it was kicked off. scan_count
is how many events were looked at to product the final event_count
.
To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.
Thankyou @sloshburch , but a small query ,
a) Whats the difference amongst these -
b) What does apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME' mean?
Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.
I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.