Solved: one of the field value showing results which didn'...

senthild · ‎01-02-2024

one for the search query from splunk AWS

index="aws_cloud" | search eventname="value1" OR "value2" OR "value3"

The above search query is giving the events for the all the above searched one also giving one more value which didn't searched

eventName: LookupEvents ==> getting this field and value which didn't search

dtburrows3 · ‎01-02-2024

try this instead

 index="aws_cloud" eventName IN ("value1", "value2", "value3")

I believe the format you posted is searching eventName="value1" OR any raw log containing the strings "value2" OR "value3" even if "value2" OR "value3" isn't the actual value of eventName for that particular event.

View solution in original post

dtburrows3 · ‎01-02-2024

try this instead

 index="aws_cloud" eventName IN ("value1", "value2", "value3")

I believe the format you posted is searching eventName="value1" OR any raw log containing the strings "value2" OR "value3" even if "value2" OR "value3" isn't the actual value of eventName for that particular event.

one of the field value showing results which didn't search

troubleshooting

using Splunk Cloud

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?