Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search problem - not finding results that should be returned from search criteria

gtg
New Member
‎08-26-2015 01:30 PM

We have been running a search that returns results for user and computer account creation. For the past week or so, the search no longer returns results for eventID's that I have verified are in the event log on the domain controller. Events were previously found as recently as 8/21 and are still found if I change the time range to include that data. I am not aware of any system changes since 8/21 that would have caused the null results.

The search we are using is:
EventCode="645" OR EventCode="624" OR EventCode="631" OR EventCode="4720" OR EventCode="4741" OR EventCode="4727" | top src_user user

If I search on other eventID's from the security log in Splunk, they are found without issue but the test user and computer accounts I created today and entries from others that I know have been created in the past few days are not found in the search results.

Any thoughts on what the issue might be?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

masonmorales
Influencer
‎08-26-2015 04:00 PM

Is the EventCode field extraction working properly? What happens if you just add your test user account to the search criteria and remove all of the EventCode=?

i.e.
yourtestaccount (645 OR 624 OR 631 OR 4720 OR 4741 OR 4727)

If it returns events, something is wrong with your EventCode field extraction. If it returns no events, something might be misconfigured on the data ingest side.

View solution in original post

Reply
Solved! Jump to solution

gtg
New Member
‎08-26-2015 05:44 PM

Thanks for the replies. Apologies, I am new to Splunk and this company as of Monday. Have been researching/training but still pretty green and had not narrowed the scope of the search properly so I was getting some erroneous results. Seems like a relatively simple issue. The data looks like it isn't being forwarded as the only source type listed is Active Directory.

I think it will be as simple as modifying the inputs.conf file to include WinEventLog:Security and plan to check it out in the morning. Have not been configured for our VPN yet so no remote access to work on it until I can get in the office tomorrow but once I can take a look at it, will update this appropriately.

0 Karma
Reply
Solved! Jump to solution
Solution

masonmorales
Influencer
‎08-26-2015 04:00 PM

Is the EventCode field extraction working properly? What happens if you just add your test user account to the search criteria and remove all of the EventCode=?

i.e.
yourtestaccount (645 OR 624 OR 631 OR 4720 OR 4741 OR 4727)

If it returns events, something is wrong with your EventCode field extraction. If it returns no events, something might be misconfigured on the data ingest side.

Reply
Solved! Jump to solution

gtg
New Member
‎08-27-2015 07:07 AM

It is on the data ingest side. Will be looking into it further.

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-26-2015 03:55 PM

Seems like a change happened in log configuration to stop logging for those events - check the log config's.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...