Splunk Enterprise Security

Splunk Enterprise Security: Why does Inputlookup (kvstore) not showing all available fields?

ernieyee
New Member

Splunk Enterprise version is 6.5.2

kvstore correlationsearches_lookup is defined in app SA-ThreatIntelligence (version 4.5.0) which is part of Enterprise Security (version 4.5.0).

The definition of correlationsearches_lookup is as below in :

alt text

But the command | inputlookup correlationsearches_lookup and | inputlookup correlationsearches_lookup | transpose | table column only shows 10 of 15 available fields.

alt text

May I know why the remaining 5 fields does not show in the result?
Is it possible to show all 15 fields in the result?

Thanks!

0 Karma
1 Solution

jstoner_splunk
Splunk Employee
Splunk Employee

If fields do not return any values in the search, the field will not show on the search results screen by default. I suspect the fields you mention are be default null so that is why they are not showing. If you issue a |table rule_name default_status default_owner, you will see those fields forced out as columns, but I suspect they are null. Looking in correlation_searches.conf in the SA-ThreatIntelligence, you will see by default the default_status and default_owner are null fields.

View solution in original post

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

If fields do not return any values in the search, the field will not show on the search results screen by default. I suspect the fields you mention are be default null so that is why they are not showing. If you issue a |table rule_name default_status default_owner, you will see those fields forced out as columns, but I suspect they are null. Looking in correlation_searches.conf in the SA-ThreatIntelligence, you will see by default the default_status and default_owner are null fields.

View solution in original post

0 Karma

ernieyee
New Member

That's the case.
Thanks a lot!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!