- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I search the Splunk internal field _cd to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I search the Splunk internal field _cd to return certain events?
How do I return events from searching the Splunk internal field _cd?
For example, the following are the _cd values. I need to get the underlying events:
0:313124421 0:313124433 0:313124445 0:313124457 0:313124469
I tried this, but does not work:
splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1
Are these values Splunk CIM values?
I also tried:
splunk_server=my-splunk index=main | `get_event_hash` | search event_hash=c8bb8cb52e3172fdcfe28d637a9c1a52 | head 1
The plan was to get an event using the event_hash from Notable results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi badadata,
if _cd is already extracted field containing these values, and you want to return the events containing the values of this field you can try to run the following query:
splunk_server=my-splunk index=main _cd=* | head 1
or you can try to run this query for one specific value: splunk_server=my-splunk index=main | search _cd="0:313124421" | head 1
let me knows if it works.
please forgive my english.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say "Notable results" are you referring to the notables in Enterprise Security? If so, try running the notable macro in ES, the event_hash field should be populated in the results.
For the first example, I was able to run a very similar search to get an event using the _cd field, so I'm not sure what's wrong there. I did that outside of ES though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@maciep so did this work for you to get an event
splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1
or you did a differently. Somewhere I read _cd is not searchable only can filter
Can you post the query you did to get an event from main using _cd
From notable it is working, but not for standard events in main index
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it did. We don't use the main index here, but it did work for me with a different index.
Another thing you can try is to create a new field and set it to _cd. Then search that one.
... | eval my_cd = _cd | search my_cd = "0:313124421"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
