Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone been able to figure out how to search indexed XmlWinEventLog sourcetype sample logs in the Ingest Action GUI?

tjones130
Engager
‎05-10-2023 06:05 AM
Has anyone been able to figure out how to search indexed XmlWinEventLog sourcetype sample logs in the Ingest Action GUI? The actual search being used uses the |where command which seems to be the issue.
index=* OR index=_* sourcetype="XmlWinEventLog"
| where sourcetype="XmlWinEventLog"
| head 100

 

Screenshot 2023-05-10 at 9.02.53 AM.png

Screenshot 2023-05-10 at 9.02.25 AM.png

  

Labels (1)
Labels
Reply

fjiang
Splunk Employee
Splunk Employee
‎07-25-2024 02:47 PM

Hi there!

This was published as a known issue first in 9.0.2: https://docs.splunk.com/Documentation/Splunk/9.0.2/ReleaseNotes/KnownIssues

See the entry for SPL-235416.

The preview UI in Ingest Actions has since been fixed in:
Splunk Enterprise version 9.0.5+
Splunk Cloud Platform version 9.0.2303+

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2023 06:26 AM

where is case-sensitive, search is not. Check the exact spelling and case of the sourcetype you are searching for.

0 Karma
Reply

tjones130
Engager
‎05-10-2023 06:46 AM

I have tried multiple variations of case-sensitivity, with no luck. The sourcetype that returns when running index=* sourcetype="XmlWinEventLog" is "XmlWinEventLog". 

Screenshot 2023-05-10 at 9.44.20 AM.png

0 Karma
Reply
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...