Splunk Search

Log clearing not showing up from tstats?

domino30
Path Finder

I can search my way into finding the result of a log clearing event bit if I use a data model with tstats it doesn't show. I think this might be because the action shows as action=deleted but the reality is I don't' know.

I am attaching a png of the issue and I and just wondering what is the best way to go about fixing this or changing it so I get it in the way it fits.

log clearing.PNG

Labels (3)
0 Karma
1 Solution

domino30
Path Finder

this is it.PNG

 I tried a variety of searches like the ones you see and also added * or replaced cleared with * and got no results.

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

you could check what you have on this data model by 

| from datamodel:"Change.Auditing_Changes"

Then just add needed search after that based what you are looking.

r. Ismo 

0 Karma

domino30
Path Finder

I get the following.

Capture123.PNG

 Also where do I go to change things?

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You should use correct capitalization.
0 Karma

domino30
Path Finder

similiar to this or do I make the change else where?

Capture1234.PNG

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

This query shows that you have data on this data model. Now you should add “| search ….” with those search terms which you already have on your first tstats and try to figure if those are present in your DM or are there something which is missing. This is the way to “debug” your tstats from DM.

0 Karma

domino30
Path Finder

which one

this thing.PNG

0 Karma

isoutamo
SplunkTrust
SplunkTrust

None of those. I mean your second query on your 1st post. Something like this

| from datamodel:"Change.Auditing_Changes"
| search nodename=All_Changes.Auditing_Changes All_Changes.action=cleared

That way you could found if those fields/values are on your DM or not. Or if you have some typos or other issue on your condition. 

0 Karma

domino30
Path Finder

I am not getting result from that should I be?

newnewnew.PNG

 now that I have figured out that I am not getinng results in what should I do ?

Also thanks alot for be super clear in your answers as I would not have figured out the exact search part.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Probably this is in wrong order and maybe nodename hasn't defined fields at this time

search nodename=All_Changes.Auditing_Changes

Try to check what you have on fields  All_Changes.Auditing_Changes and All_Changes.action.

Also if you want use nodename as a value instead of field you should surround it by " like "nodename" and also cleared as "cleared" if also that is a value.

0 Karma

domino30
Path Finder

this is it.PNG

 I tried a variety of searches like the ones you see and also added * or replaced cleared with * and got no results.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...