Splunk Search

signature not searchable

New Member

I have an odd problem. I just set up a splunk instance and its only monitoring local linux logs at the moment. The logs contain iptables logs that are feeding in correctly as I see the right fields (eventtype, signature, dst, dpt, src, action, etc.)

However, the odd thing is when I try to search on the eventtype or signature for iptables (eventtype=firewall-deny or signature=firewall), nothing comes back. This is despite the fact that when I hover over the signature field in the field discovery panel is shows 200+ events for signature=firewall.

I'm assuming the eventtype=firewall-deny is not working because it depends on signature working.

So, am I doing something wrong or is there something I need to do in order to get it working correctly?

Tags (2)
0 Karma


I know my answer is a little late, but maybe it is helping someone else. If you started the search exactly like you showed, the or must be in uppercase:

eventtype=firewall-deny OR signature=firewall
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...