Hi,

In some cases it seems Splunk adds this kind of info to some winsec events:

Audit:[timestamp=04-03-2011 04:13:13.169, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_SW5kZXhpbmcgd29ya2xvYWQ_at_1301796000_1747808923', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series', autojoin='1', buckets=0, ttl=1800, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 03:55:00 2011', apiEndTime='Sun Apr 03 03:55:00 2011', savedsearch_name="Indexing workload"][n/a] Audit:[timestamp=04-03-2011 04:13:14.919, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_windows_Q1BVIFV0aWxpemF0aW9uIFN1bW1hcnk_at_1301796240_858207800', search='search source="wmi:cputime" | stats avg(PercentProcessorTime) as avgCPUTime,avg(PercentUserTime) as avgUserTime | eval avgCPUTime=round(avgCPUTime,1) | eval avgUserTime=round(avgUserTime,1)', autojoin='1', buckets=0, ttl=14400, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:04:00 2011', apiEndTime='Sun Apr 03 04:04:00 2011', savedsearch_name="CPU Utilization Summary"][n/a] Audit:[timestamp=04-03-2011 04:13:16.700, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1301796600_1636259345', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:10:00 2011', apiEndTime='Sun Apr 03 04:10:00 2011', savedsearch_name="Top five sourcetypes"][n/a]

Any idea how we can get rid of this?