Splunk Search

Finding search strings when all you have is an expired SID

davidpaper
Contributor

Greetings,

I have a saved & shared search URL that has the SID in it. The search has long expired, and I'd like to get the original search string out of it.

Looking at: index=_internal $SID sort of works, but is painful to manually parse through. There really has to be a better way to do this.

A dead-sid search perhaps?

Tags (1)
1 Solution

chris
Motivator

You can try the _audit index, this search worked for me:

index=_audit search_id='<your sid>'  info=granted | table search,savedsearch_name

View solution in original post

chris
Motivator

You can try the _audit index, this search worked for me:

index=_audit search_id='<your sid>'  info=granted | table search,savedsearch_name
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...