Splunk Enterprise Security

Trace a value in Splunk / data lineage

mihenn
Path Finder

Hi,

is there a way to trace the origin of a specific value in Slunk? Currently I am trying to figure out with eventtype, lookup or eval is setting a tag and a field value for some events in Splunk. I used the btool the figure out, if the are some evals. But they do not apply. I found some lookups, but these do not contain the value I am looking for.

A code trace or data lineage function would be very helpfull sometimes.
Does anyone know a function in Splunk or an app for this?

Thank you.

0 Karma

adonio
Ultra Champion

try to find the value for the sourcetype your event / data has
then run this search:

 | rest services/saved/sourcetypes 
 | search title=<your_sourcetype>

if the list is huge, you can use the command:

 | fieldsummary

look for the resutls and itll give you all the EVAL- REPORT- etc definitions for your fields

hope it helps

0 Karma

xavierashe
Contributor

Have you look in the search inspector? Drill down into the properties. Sometimes I can figure out where things came from there.

0 Karma

mihenn
Path Finder

I checked on that, too. That's where I found out that a lookup is used. Unfortunately not which one. Finally I found the source on the searchhead by searching all lookups with find.

It would be nice to have a mouseover in Splunk, which shows if the value is from _raw or was modified.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...