Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trace a value in Splunk / data lineage

mihenn
Path Finder
‎03-09-2020 08:23 AM

Hi,

is there a way to trace the origin of a specific value in Slunk? Currently I am trying to figure out with eventtype, lookup or eval is setting a tag and a field value for some events in Splunk. I used the btool the figure out, if the are some evals. But they do not apply. I found some lookups, but these do not contain the value I am looking for.

A code trace or data lineage function would be very helpfull sometimes.
Does anyone know a function in Splunk or an app for this?

Thank you.

0 Karma
Reply

adonio
Ultra Champion
‎03-10-2020 09:46 AM

try to find the value for the sourcetype your event / data has
then run this search:

 | rest services/saved/sourcetypes 
 | search title=<your_sourcetype>

if the list is huge, you can use the command: 

 | fieldsummary

look for the resutls and itll give you all the EVAL- REPORT- etc definitions for your fields

hope it helps

0 Karma
Reply

xavierashe
Contributor
‎03-09-2020 08:38 AM

Have you look in the search inspector? Drill down into the properties. Sometimes I can figure out where things came from there.

0 Karma
Reply

mihenn
Path Finder
‎03-09-2020 09:06 AM

I checked on that, too. That's where I found out that a lookup is used. Unfortunately not which one. Finally I found the source on the searchhead by searching all lookups with find.

It would be nice to have a mouseover in Splunk, which shows if the value is from _raw or was modified.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...