Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Why does Inputlookup (kvstore) not showing all available fields?

ernieyee
New Member
‎02-23-2017 07:27 PM

Splunk Enterprise version is 6.5.2

kvstore correlationsearches_lookup is defined in app SA-ThreatIntelligence (version 4.5.0) which is part of Enterprise Security (version 4.5.0).

The definition of correlationsearches_lookup is as below in :

alt text

But the command | inputlookup correlationsearches_lookup and | inputlookup correlationsearches_lookup | transpose | table column only shows 10 of 15 available fields.

alt text

May I know why the remaining 5 fields does not show in the result?
Is it possible to show all 15 fields in the result?

Thanks!

Preview file
106 KB
Preview file
30 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jstoner_splunk
Splunk Employee
Splunk Employee
‎03-13-2017 05:03 AM

If fields do not return any values in the search, the field will not show on the search results screen by default. I suspect the fields you mention are be default null so that is why they are not showing. If you issue a |table rule_name default_status default_owner, you will see those fields forced out as columns, but I suspect they are null. Looking in correlation_searches.conf in the SA-ThreatIntelligence, you will see by default the default_status and default_owner are null fields.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jstoner_splunk
Splunk Employee
Splunk Employee
‎03-13-2017 05:03 AM

If fields do not return any values in the search, the field will not show on the search results screen by default. I suspect the fields you mention are be default null so that is why they are not showing. If you issue a |table rule_name default_status default_owner, you will see those fields forced out as columns, but I suspect they are null. Looking in correlation_searches.conf in the SA-ThreatIntelligence, you will see by default the default_status and default_owner are null fields.

0 Karma
Reply
Solved! Jump to solution

ernieyee
New Member
‎03-19-2017 09:02 PM

That's the case.
Thanks a lot!

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...