Splunk Search

How can I search the Splunk internal field _cd to return certain events?

Explorer

How do I return events from searching the Splunk internal field _cd?

For example, the following are the _cd values. I need to get the underlying events:

0:313124421 0:313124433 0:313124445 0:313124457 0:313124469

I tried this, but does not work:

splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1

Are these values Splunk CIM values?

I also tried:

splunk_server=my-splunk index=main | `get_event_hash` | search event_hash=c8bb8cb52e3172fdcfe28d637a9c1a52 | head 1

The plan was to get an event using the event_hash from Notable results.

Tags (4)
0 Karma

Motivator

hi badadata,
if _cd is already extracted field containing these values, and you want to return the events containing the values of this field you can try to run the following query:

splunk_server=my-splunk  index=main  _cd=* | head 1

or you can try to run this query for one specific value: splunk_server=my-splunk index=main | search _cd="0:313124421" | head 1

let me knows if it works.
please forgive my english.

0 Karma

Champion

When you say "Notable results" are you referring to the notables in Enterprise Security? If so, try running the notable macro in ES, the event_hash field should be populated in the results.

For the first example, I was able to run a very similar search to get an event using the _cd field, so I'm not sure what's wrong there. I did that outside of ES though.

0 Karma

Explorer

@maciep so did this work for you to get an event

splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1

or you did a differently. Somewhere I read _cd is not searchable only can filter
Can you post the query you did to get an event from main using _cd

From notable it is working, but not for standard events in main index

0 Karma

Champion

Yes, it did. We don't use the main index here, but it did work for me with a different index.

Another thing you can try is to create a new field and set it to _cd. Then search that one.

... | eval mycd = _cd | search mycd = "0:313124421"

0 Karma