Skip to main content

Search Audit Index

The Search Audit Index provides event logs on search usage and activities for your account. The index allows you to monitor and audit the search queries being run within your account, the types of queries, the users running them, and more.

To visualize your Search Audit Index data, download the Enterprise Search Audit App, which provides pre-built dashboards and reports to help you analyze your current search use and identify areas for improvement.

Availability

This feature is available in the following account plans.

Account TypeAccount Level
Cloud FlexTrial, Enterprise
Cloud Flex CreditsTrial, Enterprise Operations, Enterprise Security, Enterprise Suite

Enable the Search Audit Index

The Search Audit Index must be enabled by an administrator.

To enable the Search Audit Index:

  1. Classic UI. In the main Sumo Logic menu, select Administration > Security > Policies.
    New UI. In the top menu select Administration, and then under Account Security Settings select Policies. You can also click the Go To... menu at the top of the screen and select Policies.
  2. Under Sumo Logic Auditing, select Enable Search Audit Record.
    Enable Search Audit Index Record checkbox
note
  • Users with a role that grants the Manage audit data feed capability are allowed to enable the Search Audit Index.
  • Enabling the index will not count towards your data volume quota.
  • Logging to the index begins when the index is enabled.

Query the Search Audit Index

  1. In the Search page, enter the query _index=sumologic_search_usage_per_query.
  2. Choose the time range for the audit events you’d like to review.
  3. Click Start to run the search. Results return in the Messages tab.
note

Querying the index returns results only if the index is enabled.

Index retention period

By default, the retention period of the Search Audit index is the same as the retention period of your Default partition. You can change the retention period by editing the partition that contains the index, sumologic_search_usage_per_query. For more information, see Edit a Partition.

Log Search Audit Index message fields

The following table provides details on the fields returned by the index:

Field Description
timeThe time when the audit log was generated.
analytics_tierThe data tier associated with the audit message. Learn more about Data Tiers.
content_identifierThe ID of the content item that triggered the search query.
content_nameThe name of the content item that triggered the search query.
data_retreived_bytesAmount of data retrieved by the search query. This represents the approximate size of messages that match the source expression of the query and are retrieved from scanning.
data_scanned_bytesDisplays the total sum of scanned bytes for charged (Flex and Infrequent bytes) and non-charged metering types (Continuous and Frequent bytes). This value can be different from what users see in scan estimates on UI. Additionally, if a query contains a timecompare or subquery operator, the data_scanned_byte attribute in the audit log will include the sum of both the parent and child queries.
execution_duration_msTime taken to complete the search.
is_aggregateThe boolean variable that indicates if the corresponding search query was an aggregate query. The aggregate operator’s list can be found in Group or Aggregate Operators.
queryThe query text string run by the user.
query_end_timeThe end time in the time range specified as part of the query time parameter, in milliseconds since epoch.
query_start_timeThe start time in the time range specified as part of the query time parameter, in milliseconds since epoch.
query_typeIdentifies the type of query run within the account such as API, UI, Scheduled Views, etc. The values and their detailed description are provided in Query type field values.
remote_ipThe remote IP of the source from where the query originated.
retrieved_message_countThe number of messages returned by the search result. This represents the approximate count of messages that match the source expression of the query and are retrieved from scanning.
scanned_bytes_breakdownAmount of data scanned by the search query broken down by type.
scanned_message_countThe number of messages scanned by the search. This is an approximation, as scanned_message_count is captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved_message_count in some cases due to this approximation.)
scanned_partition_countThe number of partitions scanned by the search. This is an approximation as scanned message bytes are captured at intermittent time intervals and averaged over a query time range. (May be less than retrieved bytes in some cases due to this approximation.)
session_idAn identifier for every search run within the account. This is the same SESSION number displayed in the UI in the search tab.
status_messageGives the status of the search. The values include: Finished successfully, Query failed, and Query canceled.
user_nameThe email of the user that ran the search.
scanned_bytes_breakdown_by_metering_typeDisplays breakdown of the total amount of data scanned by a search query based on the metering type. It includes both charged metering types (Flex and Infrequent bytes) and non-charged metering types (Continuous and Frequent bytes).

Query type field values 

The table below shows the possible values for the query_type field.

query_type valueDescription
AlertsSearch queries run by users accessing the Alert Response Page.
Search APISearch queries run by users using the Search Job API only.
Interactive SearchSearch queries run from the Search tab in the UI only.
Interactive DashboardSearch queries run from dashboards in the UI only.
Scheduled SearchScheduled search queries run as per the frequency specified by users in the org.
View MaintenanceScheduled View queries run on behalf of the users in the org.
Sumo InternalThe Internal searches Sumo Logic runs in the background that are critical in providing other services (for example, autocomplete, scheduled view optimization, etc.).
Auto Refresh DashboardSearch queries used to power auto refresh dashboard panels.
MonitorQueries associated with monitors.
Span AnalyticsQueries run for filtering and aggregating trace data based on span attributes to understand application services performance. Queries can be built using input fields, with filters and visualized results available.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.