Splunk Search

Searching data that is not indexed

RedHonda03
Explorer

We have data which is not being indexed that needs to be searched. I've been told by our Splunk admin team that the data is available to be searched. I've attempted to search for the Windows Event 4688: A new process has been created  in the "source" and "sourcetype" fields for testing and do not get any results returned. 

To keep licensing costs down the admin team informed me that Event 4688 is not going to indexed along with a number of other event codes.  Any recommendations on performing a search on data that is not indexed would be appreciated. Not sure how to make a regex search for a specific event ID which was suggested.

Below are the searches I tried that failed.

sourcetype="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.
source="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.

 

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

View solution in original post

RedHonda03
Explorer

I appreciate the clarification. Seems like the two people running Splunk sent me on a wild goose chase. 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

richgalloway
SplunkTrust
SplunkTrust

Splunk only searches data in its indexes.  IOW, data that is not indexed cannot be searched.  If the data is not there then no search will find it.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...