Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Why does Inputlookup (kvstore) not showing all available fields?

ernieyee
New Member
‎02-23-2017 07:27 PM

Splunk Enterprise version is 6.5.2

kvstore correlationsearches_lookup is defined in app SA-ThreatIntelligence (version 4.5.0) which is part of Enterprise Security (version 4.5.0).

The definition of correlationsearches_lookup is as below in :

alt text

But the command | inputlookup correlationsearches_lookup and | inputlookup correlationsearches_lookup | transpose | table column only shows 10 of 15 available fields.

alt text

May I know why the remaining 5 fields does not show in the result?
Is it possible to show all 15 fields in the result?

Thanks!

Preview file
106 KB
Preview file
30 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jstoner_splunk
Splunk Employee
Splunk Employee
‎03-13-2017 05:03 AM

If fields do not return any values in the search, the field will not show on the search results screen by default. I suspect the fields you mention are be default null so that is why they are not showing. If you issue a |table rule_name default_status default_owner, you will see those fields forced out as columns, but I suspect they are null. Looking in correlation_searches.conf in the SA-ThreatIntelligence, you will see by default the default_status and default_owner are null fields.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jstoner_splunk
Splunk Employee
Splunk Employee
‎03-13-2017 05:03 AM

If fields do not return any values in the search, the field will not show on the search results screen by default. I suspect the fields you mention are be default null so that is why they are not showing. If you issue a |table rule_name default_status default_owner, you will see those fields forced out as columns, but I suspect they are null. Looking in correlation_searches.conf in the SA-ThreatIntelligence, you will see by default the default_status and default_owner are null fields.

0 Karma
Reply
Solved! Jump to solution

ernieyee
New Member
‎03-19-2017 09:02 PM

That's the case.
Thanks a lot!

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...