Greetings,
I have a saved & shared search URL that has the SID in it. The search has long expired, and I'd like to get the original search string out of it.
Looking at: index=_internal $SID sort of works, but is painful to manually parse through. There really has to be a better way to do this.
A dead-sid search perhaps?
You can try the _audit index, this search worked for me:
index=_audit search_id='<your sid>' info=granted | table search,savedsearch_name
You can try the _audit index, this search worked for me:
index=_audit search_id='<your sid>' info=granted | table search,savedsearch_name