Skip to main content
Sumo Logic

Log Search Audit Index

The Search Audit  Index is populated with log messages and the message contains search usage and activities for your account.

The Search Audit Index is populated with log messages and the message contains search usage and activities for your account. You can query the search audit index just like any other message using the Sumo Logic search page.

Query the Search Audit Index

  1. In the Search page, enter the query _index=sumologic_search_usage_per_query.

  2. Choose the time range for the audit events you’d like to review.

  3. Click Start to run the search. Results return in the Messages tab.

To ensure that only certain users can access the Search Audit Index, you can create a role that enables users with that role to access the index. Users without the role will not be able to access the index.

You do this by creating a role with this role search filter:
_index=sumologic_search_usage_per_query  

For more information on role search filters, see  Construct a Role Search Filter for a Role.

You can create a role specifically for access to the Search Audit Index by navigating to Administration > Users & Roles > Roles page. 

Create_Role_Search_Audit_Index.png

Search Audit Index Message Fields

The following table provides details on the fields returned by the index:

Field  Description
Time The time when the audit log was generated.
analytics_tier The data tier associated with the audit message. Learn more about tiers here.
data_retreived_bytes Amount of data retrieved by the search query. This represents the approximate size of messages that match the source expression of the query and are retrieved from scanning.
data_scanned_bytes Amount of data scanned by the search query. This is an approximation as scanned message bytes are captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved bytes in some cases due to this approximation)
execution_duration_ms Time taken to complete the search.
is_aggregate The boolean variable that indicates if the corresponding search query was an aggregate query. The aggregate operator’s list can be found here.
query The query text string run by the user.
query_end_time The end time in the time range specified as part of the query time parameter. (in ms epoch)
query_start_time The start time in the time range specified as part of the query time parameter. (in ms epoch)
query_type Identifies the type of query run within the account such as API, UI, Scheduled Views, etc. The values and their detailed description are provided in the next section.
remote_ip The remote IP of the source from where the query originated.
retrieved_message_count The number of messages returned by the search result. This represents the approximate count of messages that match the source expression of the query and are retrieved from scanning.
scanned_message_count The number of messages scanned by the search. This is an approximation, as scanned_message_ count is captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved_message_count in some cases due to this approximation.)
scanned_partition_count The number of partitions scanned by the search. This is an approximation as scanned message bytes are captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved bytes in some cases due to this approximation)
session_id An identifier for every search run within the account. This is the same SESSION number displayed in the UI in the search tab.
status_message It gives the Status of the search. The values include: Finished successfully, Query failed, and Query canceled.
user_name The email of the user that ran the search.

Query Type Field Values 

The table below shows the possible values for the field, query_type.
 

Query_type_value Description
Search API Search queries run by users using the Sumo Search Job API only.
Interactive Search Search queries run from the Search tab in the UI only.
Interactive Dashboard Search queries run from dashboards in the UI only.
Scheduled Search Scheduled search queries run as per the frequency specified by users in the org.
View Maintenance Scheduled View queries run on behalf of the users in the org.
Sumo Internal The Internal searches Sumo runs in the background that are critical in providing other services (For example, autocomplete, scheduled view optimization, etc.)
Live Dashboard Search queries used to power live dashboard panels.
Compare Search queries that are run as part of the logreduce operator or compare timeshift operators in the search query. The corresponding parent search query can be identified by the same session_id.
Subquery Subqueries are run as a separate search and corresponding attributes are captured in the Search Audit Index. The corresponding parent search query can be identified by the same session_id.
Monitor Queries associated with monitors.