Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Searching data that is not indexed

RedHonda03
Explorer
‎06-28-2021 07:12 AM

We have data which is not being indexed that needs to be searched. I've been told by our Splunk admin team that the data is available to be searched. I've attempted to search for the Windows Event 4688: A new process has been created  in the "source" and "sourcetype" fields for testing and do not get any results returned. 

To keep licensing costs down the admin team informed me that Event 4688 is not going to indexed along with a number of other event codes.  Any recommendations on performing a search on data that is not indexed would be appreciated. Not sure how to make a regex search for a specific event ID which was suggested.

Below are the searches I tried that failed.

sourcetype="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.
source="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-28-2021 03:57 PM

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

View solution in original post

Reply
Solved! Jump to solution

RedHonda03
Explorer
‎06-29-2021 07:43 AM

I appreciate the clarification. Seems like the two people running Splunk sent me on a wild goose chase. 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-28-2021 03:57 PM

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2021 07:22 AM

Splunk only searches data in its indexes.  IOW, data that is not indexed cannot be searched.  If the data is not there then no search will find it.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...