The Audit Index provides event logs for scheduled search activity, including results sent via a webhook connection. The following steps show you how to query the Audit Index for webhook activity from scheduled searches. You can review the raw event log messages to customize a more valuable query as needed.
- Ensure the Audit Index is enabled in your account.
- Run the following query with the desired time range:
_index=sumologic_audit _sourcecategory="scheduled_search" action="MODIFY"
| parse "[AlertType=*]" as alertType
| where alertType="webhook"
- To see which user is sending scheduled searches results to webhooks, view the sourceuser field. A full list of available fields is available in the Audit event message fields table.