Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with Search != litsearch --- In 'litsearch' there are extra unwanted key=value statements

dural_yyz
Motivator
‎08-16-2022 09:46 PM

We are spending a tremendous amount of time tuning our search structures lately. One thing we have run across in our Enterprise Security environment is an unwanted key=value in litsearch when reviewing the job board.

SPL

index=any-index-value sourcetype=any-sourcetype-value

litsearch

(index=any-index-value (sourcetype=any-sourcetype-value OR sourcetype=never-mentioned-value))

This 'never-mentioned-value' is always the same regardless of index or sourcetype we place in the SPL.  Things I have checked for:

- props-lookups: No 'sourcetype as x' on input side OR 'x as sourcetype' on output side

- props-EVAL-sourcetype = case(x,never-mentioned-value), this exists in our prod but same config in lower environment did not trigger the same action (will be removing this shortly after next push cause I just don't like it)

- TRANSFORMS - can not find any items of interest here

 

I have tried the following alternative searches

index=any-index-value

OR

index=any-index-value sourcetype::any-sourcetype-value

In both of the above SPL the 'extra' sourcetype key=value does not appear in the litsearch.  I do understand the differences in indexed fields and how the searches above are not triggering the addition key=value.

 

What I need help/direction/input is how do I track down the errant conf edit that is resulting in additional litsearch values when the SPL contains 'sourcetype='.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎11-25-2022 07:08 AM

Thank you for bumping this up again as I had forgotten about it.

Your suggestion was a good idea for me to check but search filters are not something we have implemented in our environment so the values are blank or wildcard.

 

Turns out I was able to solve this by finding the errant sourcetype props.  Under that was the following code.

[existing:sourcetype]
....
EVAL-sourcetype = case(value_doesnt_occur,"existing:sourcetype")

I commented out this EVAL.  Since it was only defined under the final value it would never actually execute.  However since part of the environment felt that sourcetype was an extracted value and not an indexed field this must be what was causing the litsearch to mysteriously add the content into the search string.

The app came built by the vendor and not splunk and since the key = value does not violate any patterns I assumed the app would pass validation checks.  I think this comes down to down mix extracted fields with indexed fields for best practice.

FYI - we have also carried this forward and re-written many of our eventtype tags so that the raw search does not contain any extracted field references which are also data model destination field names.( ie Eventtypes raw search does not contain action=x or user=y statements).  I would only do this in very large environments with processing or search tuning requirements - don't fix if it aint broke!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mschaaf
Path Finder
‎11-25-2022 05:12 AM

This could be due to your account having one or more roles that is assigned a srchFilter or imported_srchFilter.  This rest query will list any assigned to your role(s):

| rest splunk_server::local /services/authorization/roles/ 
| stats values(*srchFilter*) AS *srchFilter* by title 
| rename title AS role 
| append 
    [ rest splunk_server::local /services/authentication/current-context 
    | stats values(roles) AS role by username 
    | mvexpand role ] 
| stats values(*srchFilter*) AS *srchFilter* 
    values(username) as username
    by role 
| search username=* (srchFilter!="" OR imported_srchFilter!="")
Tags (2)
0 Karma
Reply
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎11-25-2022 07:08 AM

Thank you for bumping this up again as I had forgotten about it.

Your suggestion was a good idea for me to check but search filters are not something we have implemented in our environment so the values are blank or wildcard.

 

Turns out I was able to solve this by finding the errant sourcetype props.  Under that was the following code.

[existing:sourcetype]
....
EVAL-sourcetype = case(value_doesnt_occur,"existing:sourcetype")

I commented out this EVAL.  Since it was only defined under the final value it would never actually execute.  However since part of the environment felt that sourcetype was an extracted value and not an indexed field this must be what was causing the litsearch to mysteriously add the content into the search string.

The app came built by the vendor and not splunk and since the key = value does not violate any patterns I assumed the app would pass validation checks.  I think this comes down to down mix extracted fields with indexed fields for best practice.

FYI - we have also carried this forward and re-written many of our eventtype tags so that the raw search does not contain any extracted field references which are also data model destination field names.( ie Eventtypes raw search does not contain action=x or user=y statements).  I would only do this in very large environments with processing or search tuning requirements - don't fix if it aint broke!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...