Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I search the Splunk internal field _cd to return certain events?

badadata1
Explorer
‎03-18-2015 07:08 AM

How do I return events from searching the Splunk internal field _cd?

For example, the following are the _cd values. I need to get the underlying events:

0:313124421 0:313124433 0:313124445 0:313124457 0:313124469

I tried this, but does not work:

splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1

Are these values Splunk CIM values?

I also tried:

splunk_server=my-splunk index=main | `get_event_hash` | search event_hash=c8bb8cb52e3172fdcfe28d637a9c1a52 | head 1

The plan was to get an event using the event_hash from Notable results.

Tags (4)
0 Karma
Reply

gyslainlatsa
Motivator
‎03-19-2015 02:16 AM

hi badadata,
if _cd is already extracted field containing these values, and you want to return the events containing the values of this field you can try to run the following query:

splunk_server=my-splunk  index=main  _cd=* | head 1

or you can try to run this query for one specific value: splunk_server=my-splunk index=main | search _cd="0:313124421" | head 1

let me knows if it works.
please forgive my english.

0 Karma
Reply

maciep
Champion
‎03-18-2015 05:19 PM

When you say "Notable results" are you referring to the notables in Enterprise Security? If so, try running the notable macro in ES, the event_hash field should be populated in the results.

For the first example, I was able to run a very similar search to get an event using the _cd field, so I'm not sure what's wrong there. I did that outside of ES though.

0 Karma
Reply

badadata1
Explorer
‎03-18-2015 10:08 PM

@maciep so did this work for you to get an event

splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1

or you did a differently. Somewhere I read _cd is not searchable only can filter
Can you post the query you did to get an event from main using _cd

From notable it is working, but not for standard events in main index

0 Karma
Reply

maciep
Champion
‎03-19-2015 05:42 AM

Yes, it did. We don't use the main index here, but it did work for me with a different index.

Another thing you can try is to create a new field and set it to _cd. Then search that one.

... | eval my_cd = _cd | search my_cd = "0:313124421"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...