Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching data that is not indexed

RedHonda03
Explorer
‎06-28-2021 07:12 AM

We have data which is not being indexed that needs to be searched. I've been told by our Splunk admin team that the data is available to be searched. I've attempted to search for the Windows Event 4688: A new process has been created  in the "source" and "sourcetype" fields for testing and do not get any results returned. 

To keep licensing costs down the admin team informed me that Event 4688 is not going to indexed along with a number of other event codes.  Any recommendations on performing a search on data that is not indexed would be appreciated. Not sure how to make a regex search for a specific event ID which was suggested.

Below are the searches I tried that failed.

sourcetype="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.
source="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-28-2021 03:57 PM

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

View solution in original post

Reply
Solved! Jump to solution

RedHonda03
Explorer
‎06-29-2021 07:43 AM

I appreciate the clarification. Seems like the two people running Splunk sent me on a wild goose chase. 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-28-2021 03:57 PM

All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.

I think you have a misunderstanding on 'indexed' or not.  Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.

You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.

 

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2021 07:22 AM

Splunk only searches data in its indexes.  IOW, data that is not indexed cannot be searched.  If the data is not there then no search will find it.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...