topic Not able to search data with source. in Splunk Search

Not able to search data with source.

sridharlakshman — Mon, 21 May 2018 06:16:46 GMT

Hi Folks,

we are ingested the aws vpc flow logs in splunk and able to see the data while searching with index but while searching with source it is not showing any data for that particular source.

for example: while using below search it is showing data.
1. index=* and able to see that source(aws:cloudwatch:vpclogs)
2. index=* | stats count by source , it is display the source(aws:cloudwatch:vpclogs) with 86 event counts.

but while searching with below command.

index=* source=aws:cloudwatch:vpclogs it is not displaying any data.

Thanks,
Sridhar

Re: Not able to search data with source.

renjith_nair — Mon, 21 May 2018 10:57:06 GMT

Try putting the source in quotes (")

Re: Not able to search data with source.

FrankVl — Mon, 21 May 2018 11:05:44 GMT

Then you need to check the default search indexes that are assigned to your user role. Probably the specific index you put the vpc logs into, is not included in the indexes searched by default (ie. when using index=*).

Re: Not able to search data with source.

sridharlakshman — Mon, 21 May 2018 12:28:48 GMT

@renjith, I used the quotes but it is not working. index=test source="aws:guraddutty".

@Frank, I have access for that index and able to search other sources from that index.

Re: Not able to search data with source.

FrankVl — Tue, 22 May 2018 07:38:02 GMT

It's not about whether you have access. There are 2 settings related to indexes in a user role:

The indexes a role has access to (that you have)
The indexes searched by default (ie, when not specifying an index explicitely)

I would check that second setting. Quite possible this is set to the default setting of 'main' (if I'm not mistaken), which means index=* will only look in the main index, while your data is elsewhere. If you want to be able to search using index=*, you need to make sure the Indexes searched by default are set to contain the indexes you want to search through.

Re: Not able to search data with source.

sridharlakshman — Tue, 22 May 2018 08:01:33 GMT

I have cross checked that the particular source is storing the data in test index. but it is not working while searching data with that sources

I tried these command and it is not working.

index=* source=aws:guarddutty
index=test source=aws:guarddutty
source=aws:guarddutty.

Re: Not able to search data with source.

FrankVl — Tue, 22 May 2018 08:20:07 GMT

Ok, now I'm getting confused.

In your question, you mentioned source=aws:cloudwatch:vpclogs, now you are searching for another source?

Also: I think it should be source=aws:guardduty, so with a single 't' in duty?

Re: Not able to search data with source.

sridharlakshman — Tue, 22 May 2018 08:26:27 GMT

I given example. the issue is not able to search data with source.

Re: Not able to search data with source.

FrankVl — Tue, 22 May 2018 08:31:46 GMT

Just to prevent confusion over typo's in examples, can you provide a screenshot, showing the indexed data, showing the value of the source field. And then a second screenshot showing the search you are trying but fails?

Feel free to hide/obfuscate any sensitive info of course.

Re: Not able to search data with source.

sridharlakshman — Tue, 22 May 2018 09:45:35 GMT

I could not able to upload the files here.

Re: Not able to search data with source.

FrankVl — Tue, 22 May 2018 09:52:19 GMT

Just put the screenshots on some online image host and then post the url here.

Re: Not able to search data with source.

sridharlakshman — Tue, 22 May 2018 10:04:39 GMT

link text

Re: Not able to search data with source.

sridharlakshman — Tue, 22 May 2018 10:05:38 GMT

https://paste.pics/69501affb1a5351e2c84e30b867cbb2b

https://paste.pics/856e54f2939816540c2c18728769b6b4

I have the posted link.

Re: Not able to search data with source.

sridharlakshman — Tue, 22 May 2018 10:06:52 GMT

https://paste.pics/999d3f8e8343a691d1250c688a1a930b

Re: Not able to search data with source.

povares_splunk — Wed, 30 Sep 2020 05:03:58 GMT

Either on $SPLUNK_HOME/etc/apps/{App where the source comes from}/fields.conf or $SPLUNK_HOME/etc/system/local/fields.conf, set the following configuration:

[source]
INDEXED = False
Restart Splunk.

NOTE: For Cloud users, have Support do this for you.

To my understanding, this is the reasoning behind this:

INDEXED=True
Setting this attribute to True, tells Splunk that the source has already been extracted during index-time. When we run a search with that source, Splunk will look for events that have "aws.guardduty" as their source (metadata).

INDEXED=False
Setting this attribute to False, tells Splunk that the source will need to be extracted during search-time. When we run a search with that source, Splunk will look for events that have "aws.guardduty" in their events (raw data). Otherwise, it will not find anything because the source was not extracted during index-time.

Find documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Fieldsconf