Splunk Search

index=_audit contents?

saranya_fmr
Communicator

Could someone please tell me what these following fields in the audit index refer to? OR please guide me to the right Splunk doc coz I didn't find much info from splunk docs.

  • apiStartTime apiEndTime
  • total_run_time
  • exec_time
  • api_et , api_It
  • search_lt , search_et
  • scan_count
Tags (3)
0 Karma
1 Solution

sloshburch
Ultra Champion

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

View solution in original post

0 Karma

sloshburch
Ultra Champion

My understanding is that the api* and search_* fields are the time frames of the search (hence ZERO_TIME when not applicable). total_run_time is how long the search took, exec_time is when it was kicked off. scan_count is how many events were looked at to product the final event_count.

To understand more, look at the Job Inspector and how the values in it correspond to the search's audit entry.

View solution in original post

0 Karma

saranya_fmr
Communicator

Thankyou @sloshburch , but a small query ,

a) Whats the difference amongst these -

  1. api_et , api_It
  2. apiStartTime apiEndTime
  3. search_lt , search_et

b) What does apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME' mean?

0 Karma

sloshburch
Ultra Champion

Honestly, I'm not sure of the difference. As far as I can tell, there is none and it's just inconsistent logging depending on what activity generated the log. As a result of this question, I've reached out to our documentation team to get them to formally attack this realm and clear up all this confusion.

I saw the ZERO_TIME values correlated with non-search actions. So I believe they are equivalent as NULL because there is no start/end time if there is no search.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!