Audit:[timestamp=08-24-2023 19:27:50.705, user=admin, action=search, info=completed, search_id='1692905242.230', has_error_warn=false, fully_completed_search=true, total_run_time=1.92, event_count=20, result_count=3, available_count=20, scan_count=6637, drop_count=0, exec_time=1692905242, api_et=1692817200.000000000, api_lt=1692905242.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692905242.000000000, is_realtime=0, savedsearch_name="", search_startup_time="27", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_464c42e00cc87edd", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=6637, total_slices=54, decompressed_slices=57, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=28, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=20, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* file=*  sourcetype=audittrail  source=audittrail | stats  count by action raw file user', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:27:22.534, user=admin, action=search, info=granted , search_id='1692905242.230', search='search index=_audit *makeresults* AND *collect* file=*  sourcetype=audittrail  source=audittrail | stats  count by action raw file user', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:27:22 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:27:20.722, user=admin, action=search, info=completed, search_id='1692905231.227', has_error_warn=false, fully_completed_search=true, total_run_time=2.72, event_count=17, result_count=3, available_count=17, scan_count=6580, drop_count=0, exec_time=1692905232, api_et=1692817200.000000000, api_lt=1692905231.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692905231.000000000, is_realtime=0, savedsearch_name="", search_startup_time="289", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_ac233e16b1447419", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=6580, total_slices=54, decompressed_slices=57, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=89, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=17, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* file=*  sourcetype=audittrail  source=audittrail | stats  count by action raw file', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:27:20.711, user=admin, action=search, info=completed, search_id='1692905216.225', has_error_warn=false, fully_completed_search=true, total_run_time=2.87, event_count=16, result_count=3, available_count=16, scan_count=6514, drop_count=0, exec_time=1692905216, api_et=1692817200.000000000, api_lt=1692905216.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692905216.000000000, is_realtime=0, savedsearch_name="", search_startup_time="94", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_4370504a602abce3", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=6514, total_slices=53, decompressed_slices=55, duration.command.search.index=3, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=41, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=16, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* file=*  sourcetype=audittrail | stats  count by action raw file', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:27:11.905, user=admin, action=search, info=granted , search_id='1692905231.227', search='search index=_audit *makeresults* AND *collect* file=*  sourcetype=audittrail  source=audittrail | stats  count by action raw file', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:27:11 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:26:56.722, user=admin, action=search, info=granted , search_id='1692905216.225', search='search index=_audit *makeresults* AND *collect* file=*  sourcetype=audittrail | stats  count by action raw file', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:26:56 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:26:50.709, user=admin, action=search, info=completed, search_id='1692905189.224', has_error_warn=false, fully_completed_search=true, total_run_time=3.10, event_count=14, result_count=14, available_count=14, scan_count=6447, drop_count=0, exec_time=1692905189, api_et=1692817200.000000000, api_lt=1692905189.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692905189.000000000, is_realtime=0, savedsearch_name="", search_startup_time="189", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_ecf1654b520b35eb", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=6447, total_slices=53, decompressed_slices=56, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=110, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=14, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* file=*', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:26:29.269, user=admin, action=search, info=granted , search_id='1692905189.224', search='search index=_audit *makeresults* AND *collect* file=*', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:26:29 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:15:20.759, user=admin, action=search, info=completed, search_id='1692904489.196', has_error_warn=false, fully_completed_search=true, total_run_time=2.35, event_count=9, result_count=3, available_count=0, scan_count=5825, drop_count=0, exec_time=1692904489, api_et=1692817200.000000000, api_lt=1692904489.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692904489.000000000, is_realtime=0, savedsearch_name="", search_startup_time="119", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_c970e89befab9b7e", app="search", provenance="UI:Search", mode="historical_batch", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=5825, total_slices=43, decompressed_slices=42, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=61, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=9, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* file=* | stats count by action raw file', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:15:20.726, user=admin, action=search, info=completed, search_id='1692904502.198', has_error_warn=false, fully_completed_search=true, total_run_time=2.32, event_count=11, result_count=3, available_count=11, scan_count=5876, drop_count=0, exec_time=1692904502, api_et=1692817200.000000000, api_lt=1692904502.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692904502.000000000, is_realtime=0, savedsearch_name="", search_startup_time="144", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_c970e89befab9b7e", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=5876, total_slices=43, decompressed_slices=44, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=108, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=11, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* file=* | stats count by action raw file', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:15:02.771, user=admin, action=search, info=granted , search_id='1692904502.198', search='search index=_audit *makeresults* AND *collect* file=* | stats count by action raw file', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:15:02 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:14:50.724, user=admin, action=search, info=completed, search_id='1692904463.195', has_error_warn=false, fully_completed_search=true, total_run_time=1.75, event_count=8, result_count=3, available_count=0, scan_count=5779, drop_count=0, exec_time=1692904463, api_et=1692817200.000000000, api_lt=1692904463.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692904463.000000000, is_realtime=0, savedsearch_name="", search_startup_time="38", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_56977d22d0a432af", app="search", provenance="UI:Search", mode="historical_batch", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=5779, total_slices=43, decompressed_slices=42, duration.command.search.index=4, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=74, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=8, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* raw=* file=* | stats count by action raw file', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:14:49.346, user=admin, action=search, info=granted , search_id='1692904489.196', search='search index=_audit *makeresults* AND *collect* file=* | stats count by action raw file', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:14:49 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:14:23.374, user=admin, action=search, info=granted , search_id='1692904463.195', search='search index=_audit *makeresults* AND *collect* raw=* file=* | stats count by action raw file', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:14:23 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:14:20.719, user=admin, action=search, info=completed, search_id='1692904436.191', has_error_warn=false, fully_completed_search=true, total_run_time=3.30, event_count=4, result_count=4, available_count=0, scan_count=5689, drop_count=0, exec_time=1692904436, api_et=1692817200.000000000, api_lt=1692904436.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692904436.000000000, is_realtime=0, savedsearch_name="", search_startup_time="48", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_d6c630ab24effbb8", app="search", provenance="UI:Search", mode="historical_batch", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=5689, total_slices=42, decompressed_slices=41, duration.command.search.index=2, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=20, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=4, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* raw=* file=* | table action raw file', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:14:20.707, user=admin, action=search, info=bad_request, search_id='1692904458.194', has_error_warn=true, fully_completed_search=false, total_run_time=0.01, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1692904458, api_et=1692817200.000000000, api_lt=1692904458.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692904458.000000000, is_realtime=0, savedsearch_name="", search_startup_time="32", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='admin+can_delete+phantom+power+user', search='search index=_audit *makeresults* AND *collect* raw=* file=* | stats coount by action raw file', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:14:18.150, user=admin, action=search, info=granted , search_id='1692904458.194', search='search index=_audit *makeresults* AND *collect* raw=* file=* | stats coount by action raw file', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:14:18 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:13:56.409, user=admin, action=search, info=granted , search_id='1692904436.191', search='search index=_audit *makeresults* AND *collect* raw=* file=* | table action raw file', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:13:56 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 19:01:50.709, user=admin, action=search, info=completed, search_id='1692903696.145', has_error_warn=false, fully_completed_search=true, total_run_time=2.18, event_count=1, result_count=1, available_count=1, scan_count=2, drop_count=0, exec_time=1692903696, api_et=1692817200.000000000, api_lt=1692903696.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692817200.000000000, search_lt=1692903696.000000000, is_realtime=0, savedsearch_name="", search_startup_time="242", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_admin_0d347b11f736aa2e", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=1, eliminated_buckets=0, considered_events=2, total_slices=32, decompressed_slices=2, duration.command.search.index=1, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=75, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, sourcetype_count__audittrail=1, roles='admin+can_delete+phantom+power+user', search='search index=_audit *collect* search="'search index=stub | append [|makeresults | eval _raw=\"REPLACE_ME\"] | collect file=session-exploitrce spool=false index='"', is_federated_search=0]
Audit:[timestamp=08-24-2023 19:01:36.115, user=admin, action=search, info=granted , search_id='1692903696.145', search='search index=_audit *collect* search="'search index=stub | append [|makeresults | eval _raw=\"REPLACE_ME\"] | collect file=session-exploitrce spool=false index='"', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Aug 23 19:00:00 2023', apiEndTime='Thu Aug 24 19:01:36 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]
Audit:[timestamp=08-24-2023 18:31:50.685, user=user, action=search, info=completed, search_id='1692901880.31', has_error_warn=false, fully_completed_search=true, total_run_time=1.20, event_count=1, result_count=1, available_count=1, scan_count=0, drop_count=0, exec_time=1692901880, api_et=1692813600.000000000, api_lt=1692901880.000000000, api_index_et=N/A, api_index_lt=N/A, search_et=1692813600.000000000, search_lt=1692901880.000000000, is_realtime=0, savedsearch_name="", search_startup_time="32", is_prjob=false, is_flex_search=false, rate_limit_retry_enabled=false, acceleration_id="99052A46-AEF6-4D0B-AFA4-BCDD168C8A5C_search_user_e942a256c4ed4566", app="search", provenance="UI:Search", mode="historical", is_proxied=false, searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0, duration.command.search.index=0, invocations.command.search.index.bucketcache.hit=0, duration.command.search.index.bucketcache.hit=0, invocations.command.search.index.bucketcache.miss=0, duration.command.search.index.bucketcache.miss=0, invocations.command.search.index.bucketcache.error=0, duration.command.search.rawdata=0, invocations.command.search.rawdata.bucketcache.hit=0, duration.command.search.rawdata.bucketcache.hit=0, invocations.command.search.rawdata.bucketcache.miss=0, duration.command.search.rawdata.bucketcache.miss=0, invocations.command.search.rawdata.bucketcache.error=0, roles='user', search='search index=stub | append [|makeresults | eval _raw="REPLACE_ME"] | collect file=session-exploitrce spool=false index=', is_federated_search=0]
Audit:[timestamp=08-24-2023 18:31:20.254, user=user, action=search, info=granted , search_id='1692901880.31', search='search index=stub | append [|makeresults | eval _raw="REPLACE_ME"] | collect file=session-exploitrce spool=false index=', autojoin='1', buckets=300, ttl=600, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Aug 23 18:00:00 2023', apiEndTime='Thu Aug 24 18:31:20 2023', apiIndexStartTime='ZERO_TIME', apiIndexEndTime='ZERO_TIME', savedsearch_name="", is_proxied=false, app="search", provenance="UI:Search", mode="historical"]