Deployment Architecture

Fileds missing when searching index=_audit on SH

mvagionakis
Path Finder

Hello splunkers,

I'm trying to find users command history on my SH but when I'm running the following command I have zero results:

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user

I realized that a lot of fields missing.
When I run index=_audit I have only host, index,source and sourcetype fileds, all the other(search, user, etc) are missing.

Do you have any idea why I have this strange phenomenon?

I did the test to another SH and the command works perfect and I have all the fields.
Is there any conf file that could be deleted (or modified) accidentally by an other admin?

Thank you in advance.
Michael

Tags (1)
0 Karma

nikita_p
Contributor

Hi @mvagionakis,
Have you pointed all your search heads to indexers in outputs.conf?
Please check below link which might help you.
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata

0 Karma

nickhills
Ultra Champion

It sounds like you may be searching in fast-mode. try enabling verbose mode and see if the results are different.

Fast mode
alt text

Verbose Mode
alt text

I also corrected your search which had an error - try this:

index=_audit action=search info=granted NOT "search_id=scheduler" NOT "search=|history" NOT "user=splunk-system-user" NOT "search=typeahead" NOT "search=| metadata type= | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user
If my comment helps, please give it a thumbs up!
0 Karma

mvagionakis
Path Finder

Hello, nickhillscpl ,

I'm already in verbose mode.

Also, as I said , even if I run index=_audit, I have no field detected except those four that I said.

thank you

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please post your query in Code Sample format (101010) ?

0 Karma

mvagionakis
Path Finder

hi,
it's done
thank you

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...