Splunk Search

Help with Search != litsearch --- In 'litsearch' there are extra unwanted key=value statements

dural_yyz
Path Finder

We are spending a tremendous amount of time tuning our search structures lately. One thing we have run across in our Enterprise Security environment is an unwanted key=value in litsearch when reviewing the job board.

SPL

index=any-index-value sourcetype=any-sourcetype-value

litsearch

(index=any-index-value (sourcetype=any-sourcetype-value OR sourcetype=never-mentioned-value))

This 'never-mentioned-value' is always the same regardless of index or sourcetype we place in the SPL.  Things I have checked for:

- props-lookups: No 'sourcetype as x' on input side OR 'x as sourcetype' on output side

- props-EVAL-sourcetype = case(x,never-mentioned-value), this exists in our prod but same config in lower environment did not trigger the same action (will be removing this shortly after next push cause I just don't like it)

- TRANSFORMS - can not find any items of interest here

 

I have tried the following alternative searches

index=any-index-value

OR

index=any-index-value sourcetype::any-sourcetype-value

In both of the above SPL the 'extra' sourcetype key=value does not appear in the litsearch.  I do understand the differences in indexed fields and how the searches above are not triggering the addition key=value.

 

What I need help/direction/input is how do I track down the errant conf edit that is resulting in additional litsearch values when the SPL contains 'sourcetype='.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...