{ "app": "search", "result": { "timestartpos": "0", "_serial": "2", "splunk_server": "myserver", "date_month": "january", "USER": "", "date_second": "32", "source": "/var/log/auth.log", "timeendpos": "15", "_si": [ "myserver", "main" ], "punct": "___::_-_:_(:):_____", "host": "myserver", "TTY": "", "_raw": "Jan 4 11:14:32 myserver sudo: pam_unix(sudo:session): session closed for user root", "_sourcetype": "syslog", "index": "main", "date_minute": "14", "date_year": "2017", "_kv": "1", "process": "sudo", "PWD": "", "pid": "", "_time": "1483557272", "uid": "", "date_zone": "local", "sourcetype": "syslog", "_indextime": "1483557272", "date_hour": "11", "date_mday": "4", "linecount": "", "eventtype": "", "COMMAND": "", "_eventtype_color": "", "date_wday": "wednesday", "_confstr": "source::/var/log/auth.log|host::myserver|syslog" }, "sid": "rt_scheduler__admin__search__sudo_at_1483557185_2.2", "search_name": "sudo", "owner": "admin" }