Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching data that is not indexed

RedHonda03
Explorer
‎06-28-2021 07:12 AM

We have data which is not being indexed that needs to be searched. I've been told by our Splunk admin team that the data is available to be searched. I've attempted to search for the Windows Event 4688: A new process has been created  in the "source" and "sourcetype" fields for testing and do not get any results returned. 

To keep licensing costs down the admin team informed me that Event 4688 is not going to indexed along with a number of other event codes.  Any recommendations on performing a search on data that is not indexed would be appreciated. Not sure how to make a regex search for a specific event ID which was suggested.

Below are the searches I tried that failed.

sourcetype="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.
source="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-28-2021 03:57 PM

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

View solution in original post

Reply
Solved! Jump to solution

RedHonda03
Explorer
‎06-29-2021 07:43 AM

I appreciate the clarification. Seems like the two people running Splunk sent me on a wild goose chase. 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-28-2021 03:57 PM

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2021 07:22 AM

Splunk only searches data in its indexes.  IOW, data that is not indexed cannot be searched.  If the data is not there then no search will find it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...