Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fileds missing when searching index=_audit on SH

mvagionakis
Path Finder
‎12-20-2017 02:17 AM

Hello splunkers,

I'm trying to find users command history on my SH but when I'm running the following command I have zero results:

index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user

I realized that a lot of fields missing.
When I run index=_audit I have only host, index,source and sourcetype fileds, all the other(search, user, etc) are missing.

Do you have any idea why I have this strange phenomenon?

I did the test to another SH and the command works perfect and I have all the fields.
Is there any conf file that could be deleted (or modified) accidentally by an other admin?

Thank you in advance.
Michael

Tags (1)
0 Karma
Reply

nikita_p
Contributor
‎12-20-2017 04:44 AM

Hi @mvagionakis,
Have you pointed all your search heads to indexers in outputs.conf?
Please check below link which might help you.
http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata

0 Karma
Reply

nickhills
Ultra Champion
‎12-20-2017 03:14 AM

It sounds like you may be searching in fast-mode. try enabling verbose mode and see if the results are different.

Fast mode
alt text

Verbose Mode
alt text

I also corrected your search which had an error - try this:

index=_audit action=search info=granted NOT "search_id=scheduler" NOT "search=|history" NOT "user=splunk-system-user" NOT "search=typeahead" NOT "search=| metadata type= | search totalCount>0" | stats count by user search _time | sort _time | convert ctime(_time) | stats list(_time) as time list(search) as search by user
If my comment helps, please give it a thumbs up!
0 Karma
Reply

mvagionakis
Path Finder
‎12-20-2017 04:55 AM

Hello, nickhillscpl ,

I'm already in verbose mode.

Also, as I said , even if I run index=_audit, I have no field detected except those four that I said.

thank you

0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-20-2017 03:08 AM

Hi,

Can you please post your query in Code Sample format (101010) ?

0 Karma
Reply

mvagionakis
Path Finder
‎12-20-2017 05:05 AM

hi,
it's done
thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...