Audit:[timestamp=01-11-2023 20:01:39.688, user=admin, action=search, info=granted , search_id='1673467299.159', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action roles info roles path | dedup user action', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 20:01:36.654, user=admin, action=search, info=completed, search_id='1673467291.158', has_error_warn=false, fully_completed_search=true, total_run_time=0.34, event_count=44, result_count=0, available_count=44, scan_count=114, drop_count=0, exec_time=1673467291, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="122", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_c8d2f0c546253faa", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=0, considered_events=114, total_slices=147, decompressed_slices=15, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=39, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=44, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action roles info roles | dedup user action path', is_federated_search=0]
Audit:[timestamp=01-11-2023 20:01:31.703, user=admin, action=search, info=granted , search_id='1673467291.158', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action roles info roles | dedup user action path', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 20:01:06.685, user=admin, action=search, info=completed, search_id='1673467244.156', has_error_warn=false, fully_completed_search=true, total_run_time=0.49, event_count=41, result_count=41, available_count=41, scan_count=111, drop_count=0, exec_time=1673467244, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="170", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_c8d2f0c546253faa", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=0, considered_events=111, total_slices=147, decompressed_slices=15, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=86, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=41, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action roles info roles', is_federated_search=0]
Audit:[timestamp=01-11-2023 20:01:06.654, user=admin, action=search, info=completed, search_id='1673467264.157', has_error_warn=false, fully_completed_search=true, total_run_time=0.60, event_count=42, result_count=3, available_count=42, scan_count=112, drop_count=0, exec_time=1673467264, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="317", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_c8d2f0c546253faa", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=0, considered_events=112, total_slices=147, decompressed_slices=15, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=95, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=42, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action roles info roles | dedup user action', is_federated_search=0]
Audit:[timestamp=01-11-2023 20:01:04.406, user=admin, action=search, info=granted , search_id='1673467264.157', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action roles info roles | dedup user action', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 20:00:44.358, user=admin, action=search, info=granted , search_id='1673467244.156', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action roles info roles', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:58:36.661, user=admin, action=search, info=completed, search_id='1673467091.141', has_error_warn=false, fully_completed_search=true, total_run_time=0.53, event_count=38, result_count=38, available_count=38, scan_count=108, drop_count=0, exec_time=1673467091, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="156", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_a7029fcedc0b65c2", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=0, considered_events=108, total_slices=146, decompressed_slices=14, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=114, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=38, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:58:36.652, user=admin, action=search, info=canceled, search_id='ta_1673467051.139', has_error_warn=false, fully_completed_search=false, total_run_time=0.17, event_count=0, result_count=50, available_count=0, scan_count=0, drop_count=0, exec_time=1673467051, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="194", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_0ec09c67e5f4a231", app="search", provenance="N/A", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=typeahead, roles='admin+power+user', search='typeahead prefix="index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml ac" max_time="1" count="50" use_cache=1', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:58:11.199, user=admin, action=search, info=granted , search_id='1673467091.141', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=* |table user action', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:58:06.653, user=admin, action=search, info=completed, search_id='1673467057.140', has_error_warn=false, fully_completed_search=true, total_run_time=0.50, event_count=32, result_count=32, available_count=32, scan_count=37, drop_count=0, exec_time=1673467057, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="207", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_5527edd6831b16ad", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=3, considered_events=37, total_slices=37, decompressed_slices=6, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=32, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=*', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:57:37.248, user=admin, action=search, info=granted , search_id='1673467057.140', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=*', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:57:31.296, user=admin, action=search, info=granted , search_id='ta_1673467051.139', search='typeahead prefix="index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml ac" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", search_type="typeahead", is_proxied=false, app="search", provenance="N/A", mode="historical"]
Audit:[timestamp=01-11-2023 19:55:06.657, user=admin, action=search, info=completed, search_id='1673466899.138', has_error_warn=false, fully_completed_search=true, total_run_time=0.23, event_count=26, result_count=26, available_count=26, scan_count=34, drop_count=0, exec_time=1673466900, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="96", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_1ac875ed48db68ef", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=3, considered_events=34, total_slices=37, decompressed_slices=6, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=26, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=search', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:54:59.943, user=admin, action=search, info=granted , search_id='1673466899.138', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=search', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:53:36.654, user=admin, action=search, info=completed, search_id='1673466794.137', has_error_warn=false, fully_completed_search=true, total_run_time=0.48, event_count=1, result_count=1, available_count=1, scan_count=66, drop_count=0, exec_time=1673466794, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="196", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_e6538de8ae895f5e", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=1, considered_events=66, total_slices=145, decompressed_slices=9, duration.command.search.index=16, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=92, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=1, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=add | table action mode splunk_server path', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:53:14.470, user=admin, action=search, info=granted , search_id='1673466794.137', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=add | table action mode splunk_server path', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:53:06.667, user=admin, action=search, info=canceled, search_id='ta_1673466707.134', has_error_warn=false, fully_completed_search=false, total_run_time=0.07, event_count=0, result_count=7, available_count=0, scan_count=0, drop_count=0, exec_time=1673466707, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="29", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_2cc1a5563273f54f", app="search", provenance="N/A", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=typeahead, roles='admin+power+user', search='typeahead prefix="index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml tab" max_time="1" count="50" use_cache=1', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:53:06.658, user=admin, action=search, info=canceled, search_id='ta_1673466707.133', has_error_warn=false, fully_completed_search=false, total_run_time=0.11, event_count=0, result_count=50, available_count=0, scan_count=0, drop_count=0, exec_time=1673466707, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="170", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_e27b5429bca9005b", app="search", provenance="N/A", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, search_type=typeahead, roles='admin+power+user', search='typeahead prefix="index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml t" max_time="1" count="50" use_cache=1', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:53:06.656, user=admin, action=search, info=completed, search_id='1673466766.135', has_error_warn=false, fully_completed_search=true, total_run_time=0.33, event_count=1, result_count=1, available_count=1, scan_count=5, drop_count=0, exec_time=1673466766, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="210", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_ddbab7a52a58f8b4", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=3, considered_events=5, total_slices=36, decompressed_slices=2, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=1, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=add | table action mode splunk_server', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:53:06.652, user=admin, action=search, info=completed, search_id='1673466777.136', has_error_warn=false, fully_completed_search=true, total_run_time=0.29, event_count=1, result_count=1, available_count=1, scan_count=62, drop_count=0, exec_time=1673466777, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="87", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_368a2a522e3fc7ff", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=1, considered_events=62, total_slices=145, decompressed_slices=9, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=68, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=1, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=add | table action mode splunk_server', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:52:57.520, user=admin, action=search, info=granted , search_id='1673466777.136', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/* action=add | table action mode splunk_server', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:52:46.173, user=admin, action=search, info=granted , search_id='1673466766.135', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=add | table action mode splunk_server', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:51:47.575, user=admin, action=search, info=granted , search_id='ta_1673466707.134', search='typeahead prefix="index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml tab" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", search_type="typeahead", is_proxied=false, app="search", provenance="N/A", mode="historical"]
Audit:[timestamp=01-11-2023 19:51:47.094, user=admin, action=search, info=granted , search_id='ta_1673466707.133', search='typeahead prefix="index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml t" max_time="1" count="50" use_cache=1', autojoin='0', buckets=0, ttl=10, max_count=50, maxtime=8640000, enable_lookups='0', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", search_type="typeahead", is_proxied=false, app="search", provenance="N/A", mode="historical"]
Audit:[timestamp=01-11-2023 19:51:36.666, user=admin, action=search, info=completed, search_id='1673466684.132', has_error_warn=false, fully_completed_search=true, total_run_time=0.40, event_count=1, result_count=1, available_count=1, scan_count=3, drop_count=0, exec_time=1673466684, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="189", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_3e59b84ee3ac92d6", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=3, considered_events=3, total_slices=36, decompressed_slices=2, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=1, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=add', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:51:36.655, user=admin, action=search, info=completed, search_id='1673466668.131', has_error_warn=false, fully_completed_search=true, total_run_time=0.38, event_count=19, result_count=19, available_count=19, scan_count=24, drop_count=0, exec_time=1673466668, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="187", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_4aae879632186b09", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=3, considered_events=24, total_slices=36, decompressed_slices=5, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=65, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=19, roles='admin+power+user', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:51:24.461, user=admin, action=search, info=granted , search_id='1673466684.132', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml action=add', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:51:08.160, user=admin, action=search, info=granted , search_id='1673466668.131', search='search index=_audit path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:51:06.656, user=admin, action=search, info=completed, search_id='1673466661.130', has_error_warn=false, fully_completed_search=true, total_run_time=0.38, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1673466661, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="217", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_13bf20c860b04575", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=4, eliminated_buckets=3, considered_events=1, total_slices=4662, decompressed_slices=1, duration.command.search.index=12, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=35, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+power+user', search='search index=_internal path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:51:06.652, user=admin, action=search, info=completed, search_id='1673466653.129', has_error_warn=false, fully_completed_search=true, total_run_time=0.29, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1673466653, api_et=N/A, api_lt=N/A, api_index_et=N/A, api_index_lt=N/A, search_et=N/A, search_lt=N/A, is_realtime=0, savedsearch_name="", search_startup_time="174", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_ce02d729c28fef2d", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+power+user', search='search index=audit_ path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:51:01.365, user=admin, action=search, info=granted , search_id='1673466661.130', search='search index=_internal path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:50:53.704, user=admin, action=search, info=granted , search_id='1673466653.129', search='search index=audit_ path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='ZERO_TIME', apiEndTime='ZERO_TIME', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:50:36.655, user=admin, action=search, info=completed, search_id='1673466624.127', has_error_warn=false, fully_completed_search=true, total_run_time=0.22, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1673466624, api_et=1673377200.000000000, api_lt=1673466624.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1673377200.000000000, search_lt=1673466624.000000000, is_realtime=0, savedsearch_name="", search_startup_time="83", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_09ad2026fa50fb8b", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+power+user', search='search index=* path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:50:36.652, user=admin, action=search, info=completed, search_id='1673466630.128', has_error_warn=false, fully_completed_search=true, total_run_time=0.36, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1673466630, api_et=1673377200.000000000, api_lt=1673466630.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1673377200.000000000, search_lt=1673466630.000000000, is_realtime=0, savedsearch_name="", search_startup_time="157", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_ce02d729c28fef2d", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+power+user', search='search index=audit_ path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:50:30.306, user=admin, action=search, info=granted , search_id='1673466630.128', search='search index=audit_ path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Tue Jan 10 19:00:00 2023', apiEndTime='Wed Jan 11 19:50:30 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:50:24.312, user=admin, action=search, info=granted , search_id='1673466624.127', search='search index=* path=/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Tue Jan 10 19:00:00 2023', apiEndTime='Wed Jan 11 19:50:24 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:44:06.698, user=admin, action=search, info=completed, search_id='1673466217.125', has_error_warn=false, fully_completed_search=true, total_run_time=0.54, event_count=0, result_count=0, available_count=0, scan_count=1, drop_count=0, exec_time=1673466217, api_et=1673377200.000000000, api_lt=1673466217.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1673377200.000000000, search_lt=1673466217.000000000, is_realtime=0, savedsearch_name="", search_startup_time="283", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_d1ea827f704ec811", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=3, eliminated_buckets=2, considered_events=1, total_slices=4484, decompressed_slices=1, duration.command.search.index=9, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=36, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+power+user', search='search index=_internal path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:44:06.682, user=admin, action=search, info=completed, search_id='1673466223.126', has_error_warn=false, fully_completed_search=true, total_run_time=0.31, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1673466224, api_et=1673377200.000000000, api_lt=1673466223.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1673377200.000000000, search_lt=1673466223.000000000, is_realtime=0, savedsearch_name="", search_startup_time="160", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_736d62a24a47c172", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+power+user', search='search index=* path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:43:43.995, user=admin, action=search, info=granted , search_id='1673466223.126', search='search index=* path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Tue Jan 10 19:00:00 2023', apiEndTime='Wed Jan 11 19:43:43 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:43:37.235, user=admin, action=search, info=granted , search_id='1673466217.125', search='search index=_internal path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Tue Jan 10 19:00:00 2023', apiEndTime='Wed Jan 11 19:43:37 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:43:36.669, user=admin, action=search, info=completed, search_id='1673466201.123', has_error_warn=false, fully_completed_search=true, total_run_time=0.71, event_count=2, result_count=2, available_count=2, scan_count=8, drop_count=0, exec_time=1673466201, api_et=1673377200.000000000, api_lt=1673466201.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1673377200.000000000, search_lt=1673466201.000000000, is_realtime=0, savedsearch_name="", search_startup_time="287", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_26a00e5554bbef33", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=3, eliminated_buckets=2, considered_events=8, total_slices=34, decompressed_slices=3, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=102, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=2, roles='admin+power+user', search='search index=_audit testxx path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:43:36.656, user=admin, action=search, info=completed, search_id='1673466208.124', has_error_warn=false, fully_completed_search=true, total_run_time=0.27, event_count=3, result_count=3, available_count=3, scan_count=7, drop_count=0, exec_time=1673466209, api_et=1673377200.000000000, api_lt=1673466208.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1673377200.000000000, search_lt=1673466208.000000000, is_realtime=0, savedsearch_name="", search_startup_time="86", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="49E16466-89E8-4FFB-96DA-B91255966CB5_search_admin_ed4f0279444d7941", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=3, eliminated_buckets=2, considered_events=7, total_slices=34, decompressed_slices=3, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=3, roles='admin+power+user', search='search index=_audit path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', is_federated_search=0]
Audit:[timestamp=01-11-2023 19:43:28.952, user=admin, action=search, info=granted , search_id='1673466208.124', search='search index=_audit path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Tue Jan 10 19:00:00 2023', apiEndTime='Wed Jan 11 19:43:28 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:43:21.624, user=admin, action=search, info=granted , search_id='1673466201.123', search='search index=_audit testxx path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Tue Jan 10 19:00:00 2023', apiEndTime='Wed Jan 11 19:43:21 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=01-11-2023 19:18:31.085, user=n/a, action=delete,path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml"]
Audit:[timestamp=01-11-2023 19:07:07.787, user=n/a, action=add,path="/opt/splunk/etc/users/test/search/local/data/ui/views/testxx.xml", isdir=0, size=1905, gid=0, uid=0, modtime="Wed Jan 11 19:04:50 2023", mode="rw-------", hash=]