https://community.splunk.com/t5/Splunk-Search/How-to-explain-follow-audit-log/m-p/610459#M212302 <P><SPAN class="">I found follow logs in _audit logs.&nbsp; The user who run this search cannot access internal logs, so I assume the underline part is added by Splunk system.&nbsp;</SPAN></P><P><SPAN class="">Could anyboda explain follow 2 questions?</SPAN></P><P><SPAN class="">What does the underline part mean? </SPAN></P><P><SPAN class="">what does the field _cd mean?</SPAN></P><P><SPAN class="">search=</SPAN><SPAN>'</SPAN><SPAN class="">search</SPAN><SPAN> (</SPAN><SPAN class="">index=</SPAN><SPAN>* </SPAN><SPAN class="">OR</SPAN> <SPAN class="">index=_</SPAN><SPAN>*) </SPAN><SPAN class="">_time</SPAN><SPAN>&gt;</SPAN><SPAN class="">=1661000447</SPAN> <SPAN class="">_time</SPAN><SPAN>&lt;</SPAN><SPAN class="">1661000460</SPAN> <SPAN class="">host=</SPAN><SPAN>"XXX</SPAN><SPAN>" </SPAN><SPAN class="">source=</SPAN><SPAN>"XXX</SPAN><SPAN>" | </SPAN><U><SPAN class="">eval</SPAN> <SPAN class="">_DBID</SPAN> <SPAN class="">=</SPAN> <SPAN class="">replace</SPAN>(<SPAN class="">_cd</SPAN>, "(<SPAN class="">\d</SPAN>+)<SPAN class="">:\d</SPAN>+", "<SPAN class="">\1</SPAN>") | <SPAN class="">eval</SPAN> <SPAN class="">_OFFSET</SPAN> <SPAN class="">=</SPAN> <SPAN class="">replace</SPAN>(<SPAN class="">_cd</SPAN>, "<SPAN class="">\d</SPAN>+<SPAN class="">:</SPAN>(<SPAN class="">\d</SPAN>+)", "<SPAN class="">\1</SPAN>")']</U></P> Tue, 23 Aug 2022 07:40:35 GMT xiyangyang 2022-08-23T07:40:35Z https://community.splunk.com/t5/Splunk-Search/How-to-explain-follow-audit-log/m-p/610459#M212302 <P><SPAN class="">I found follow logs in _audit logs.&nbsp; The user who run this search cannot access internal logs, so I assume the underline part is added by Splunk system.&nbsp;</SPAN></P><P><SPAN class="">Could anyboda explain follow 2 questions?</SPAN></P><P><SPAN class="">What does the underline part mean? </SPAN></P><P><SPAN class="">what does the field _cd mean?</SPAN></P><P><SPAN class="">search=</SPAN><SPAN>'</SPAN><SPAN class="">search</SPAN><SPAN> (</SPAN><SPAN class="">index=</SPAN><SPAN>* </SPAN><SPAN class="">OR</SPAN> <SPAN class="">index=_</SPAN><SPAN>*) </SPAN><SPAN class="">_time</SPAN><SPAN>&gt;</SPAN><SPAN class="">=1661000447</SPAN> <SPAN class="">_time</SPAN><SPAN>&lt;</SPAN><SPAN class="">1661000460</SPAN> <SPAN class="">host=</SPAN><SPAN>"XXX</SPAN><SPAN>" </SPAN><SPAN class="">source=</SPAN><SPAN>"XXX</SPAN><SPAN>" | </SPAN><U><SPAN class="">eval</SPAN> <SPAN class="">_DBID</SPAN> <SPAN class="">=</SPAN> <SPAN class="">replace</SPAN>(<SPAN class="">_cd</SPAN>, "(<SPAN class="">\d</SPAN>+)<SPAN class="">:\d</SPAN>+", "<SPAN class="">\1</SPAN>") | <SPAN class="">eval</SPAN> <SPAN class="">_OFFSET</SPAN> <SPAN class="">=</SPAN> <SPAN class="">replace</SPAN>(<SPAN class="">_cd</SPAN>, "<SPAN class="">\d</SPAN>+<SPAN class="">:</SPAN>(<SPAN class="">\d</SPAN>+)", "<SPAN class="">\1</SPAN>")']</U></P> Tue, 23 Aug 2022 07:40:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-explain-follow-audit-log/m-p/610459#M212302 xiyangyang 2022-08-23T07:40:35Z https://community.splunk.com/t5/Splunk-Search/How-to-explain-follow-audit-log/m-p/610476#M212312 <P>The underscore in an index or field name is just part of the name, however, names beginning with an underscore are reserved for use by Splunk.</P><P>The _cd field gives the location of an event within an index.&nbsp; See&nbsp;<A href="https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Knowledge/Usedefaultfields#_cd" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Knowledge/Usedefaultfields#_cd</A>&nbsp;for details.</P> Tue, 23 Aug 2022 12:09:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-explain-follow-audit-log/m-p/610476#M212312 richgalloway 2022-08-23T12:09:29Z