Why won't Walklex timespan follow time specificati...

Derson · ‎01-29-2023

When I use walklex on my indexes, it doesn't appear to be following the time specifications very well. Does anybody know what is/might be happening here?

Command:
| walklex index=indexName type=field
| stats count by field

Examples for an index:
Index 1:
* The buckets generally take about 6 hours to roll from hot to warm.
* When I select last 24 hours, I get results from above query like I would expect with a bit of overflow due to the bucket time span, but then there is a couple week gap with some events returned from several weeks prior.

Index 2:
* Some buckets have upwards of 2 years time span.
* When I run walklex over the last 7 days, I get results all the way back to 2017. When I look for the bucket ID and guId of the bucket containing the old results using dbinspect over a 14 day time range, I do not see that local ID combined with the guId. But when I look at all time I find the guId and local ID pair. But the bucket shows as being hot and last edited in January of 2020... which all of the other weird behavior set aside, walklex shouldn't be getting data from hot buckets unless the docs are wrong?

Why won't Walklex timespan follow time specifications?

fields

other

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!