The Search Audit Index is populated with log messages and the message contains search usage and activities for your account. You can query the search audit index just like any other message using the Sumo Logic search page.
Query the Log Search Audit Index
In the Search page, enter the query _index=sumologic_search_usage_per_query.
Choose the time range for the audit events you’d like to review.
Click Start to run the search. Results return in the Messages tab.
Restricting access to the Log Search Audit Index
To ensure that only certain users can access the LogSearch Audit Index, you can create a role that enables users with that role to access the index. Users without the role will not be able to access the index.
You do this by creating a role with this role search filter:
For more information on role search filters, see Construct a Role Search Filter for a Role.
You can create a role specifically for access to the Search Audit Index by navigating to Administration > Users & Roles > Roles page.
Log Search Audit Index Message Fields
The following table provides details on the fields returned by the index:
|Time||The time when the audit log was generated.|
|analytics_tier||The data tier associated with the audit message. Learn more about tiers here.|
|data_retreived_bytes||Amount of data retrieved by the search query. This represents the approximate size of messages that match the source expression of the query and are retrieved from scanning.|
|data_scanned_bytes||Amount of data scanned by the search query. This is an approximation as scanned message bytes are captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved bytes in some cases due to this approximation)|
|execution_duration_ms||Time taken to complete the search.|
|is_aggregate||The boolean variable that indicates if the corresponding search query was an aggregate query. The aggregate operator’s list can be found here.|
|query||The query text string run by the user.|
|query_end_time||The end time in the time range specified as part of the query time parameter. (in ms epoch)|
|query_start_time||The start time in the time range specified as part of the query time parameter. (in ms epoch)|
|query_type||Identifies the type of query run within the account such as API, UI, Scheduled Views, etc. The values and their detailed description are provided in the next section.|
|remote_ip||The remote IP of the source from where the query originated.|
|retrieved_message_count||The number of messages returned by the search result. This represents the approximate count of messages that match the source expression of the query and are retrieved from scanning.|
|scanned_message_count||The number of messages scanned by the search. This is an approximation, as scanned_message_ count is captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved_message_count in some cases due to this approximation.)|
|scanned_partition_count||The number of partitions scanned by the search. This is an approximation as scanned message bytes are captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved bytes in some cases due to this approximation)|
|session_id||An identifier for every search run within the account. This is the same SESSION number displayed in the UI in the search tab.|
|status_message||It gives the Status of the search. The values include: Finished successfully, Query failed, and Query canceled.|
|user_name||The email of the user that ran the search.|
Query Type Field Values
The table below shows the possible values for the field, query_type.
|Search API||Search queries run by users using the Sumo Search Job API only.|
|Interactive Search||Search queries run from the Search tab in the UI only.|
|Interactive Dashboard||Search queries run from dashboards in the UI only.|
|Scheduled Search||Scheduled search queries run as per the frequency specified by users in the org.|
|View Maintenance||Scheduled View queries run on behalf of the users in the org.|
|Sumo Internal||The Internal searches Sumo runs in the background that are critical in providing other services (For example, autocomplete, scheduled view optimization, etc.)|
|Live Dashboard||Search queries used to power live dashboard panels.|
|Compare||Search queries that are run as part of the logreduce operator or compare timeshift operators in the search query. The corresponding parent search query can be identified by the same session_id.|
|Subquery||Subqueries are run as a separate search and corresponding attributes are captured in the Search Audit Index. The corresponding parent search query can be identified by the same session_id.|
|Monitor||Queries associated with monitors.|
Index retention period
By default, the retention period of the Log Search Audit index is the same as the retention period of your Default Continuous Partition. You can change the retention period by editing the partition that contains the index,
sumologic_search_usage_per_query. For more information, see Edit a Partition.