diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md index 359c89a9c0..0ea63e9419 100644 --- a/docs/search/get-started-with-search/search-basics/export-search-results.md +++ b/docs/search/get-started-with-search/search-basics/export-search-results.md @@ -29,3 +29,35 @@ You can export message fields to a CSV file, either just the fields displayed, o Click the gears icon in the top-right corner of the **Messages** tab, and then select **Export** **(Display Fields)** to export only the messages displayed, or **Export (All Fields)** to export all message fields. If the export is successful, your browser will automatically download the data and save it to a CSV file. ![export fields](/img/search/get-started-search/search-basics/export-search-results/export-fields.png) + +:::info +Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` with `eventName:"SearchExported"` to view these [audit events](/docs/manage/security/audit-indexes/audit-event-index/) to ensure that no sensitive data is exported. + +
+ Sample log message + ```json + { + "userIdentity":{ + "userId":"00000000001***1", + "userEmail":"***.****@sumologic.com" + }, + "searchExportIdentity":{ + "exportId":"67C19***5BB4D96" + }, + "sessionId":"0FF9*****B09F", + "searchQuery":"_sourcecategory \**00 \"kubernetes/system\" \"error\"\n| where _pid \u003* \"****\"", + "exportedCount":11, + "location":"service UI raw", + "status":"SUCCESS", + "eventType":"Audit", + "severityLevel":"Info", + "accountId":"00000000005****7", + "eventId":"da6a5a2b-****-****-b01c-b63dba93fa66", + "eventName":"SearchExported", + "eventTime":"2025-03-24T15:49:27.664Z", + "eventFormatVersion":"1.0 beta", + "subsystem":"content" + } + ``` +
+:::