Re: How to explain follow _audit log?

xiyangyang · ‎08-23-2022

I found follow logs in _audit logs. The user who run this search cannot access internal logs, so I assume the underline part is added by Splunk system.

Could anyboda explain follow 2 questions?

What does the underline part mean?

what does the field _cd mean?

search='search (index=* OR index=_*) _time>=1661000447 _time<1661000460 host="XXX" source="XXX" | eval _DBID = replace(_cd, "(\d+):\d+", "\1") | eval _OFFSET = replace(_cd, "\d+:(\d+)", "\1")']

richgalloway · ‎08-23-2022

The underscore in an index or field name is just part of the name, however, names beginning with an underscore are reserved for use by Splunk.

The _cd field gives the location of an event within an index. See https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Knowledge/Usedefaultfields#_cd for details.

---
If this reply helps you, Karma would be appreciated.

How to explain follow _audit log?

search job inspector

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation