Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to explain follow _audit log?

xiyangyang
Path Finder
‎08-23-2022 12:40 AM

I found follow logs in _audit logs.  The user who run this search cannot access internal logs, so I assume the underline part is added by Splunk system. 

Could anyboda explain follow 2 questions?

What does the underline part mean?

what does the field _cd mean?

search='search (index=* OR index=_*) _time>=1661000447 _time<1661000460 host="XXX" source="XXX" | eval _DBID = replace(_cd, "(\d+):\d+", "\1") | eval _OFFSET = replace(_cd, "\d+:(\d+)", "\1")']

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-23-2022 05:09 AM

The underscore in an index or field name is just part of the name, however, names beginning with an underscore are reserved for use by Splunk.

The _cd field gives the location of an event within an index.  See https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Knowledge/Usedefaultfields#_cd for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...