We have data which is not being indexed that needs to be searched. I've been told by our Splunk admin team that the data is available to be searched. I've attempted to search for the Windows Event 4688: A new process has been created in the "source" and "sourcetype" fields for testing and do not get any results returned.
To keep licensing costs down the admin team informed me that Event 4688 is not going to indexed along with a number of other event codes. Any recommendations on performing a search on data that is not indexed would be appreciated. Not sure how to make a regex search for a specific event ID which was suggested.
Below are the searches I tried that failed.
sourcetype="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.
source="wineventlog:security" EventCode=4688 --> No results found. Try Expanding the time range.
All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.
I think you have a misunderstanding on 'indexed' or not. Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.
You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.
I appreciate the clarification. Seems like the two people running Splunk sent me on a wild goose chase.
All data that is delivered to Splunk can be searched. If your admin team has said that 4688 events are not going to be sent to Splunk due to licencing then you will not be able to find it, as it is not there.
I think you have a misunderstanding on 'indexed' or not. Splunk receives data and all that data can be searched. It is not like a traditional database index where you need to specify the fields that are used to provide a more efficient way to locate data, as all data in Splunk can be found.
You can treat Splunk like 'if Splunk has the data - it is indexed and searchable', so it would appear that the only strategy is to hope that they will ingest these events.
Splunk only searches data in its indexes. IOW, data that is not indexed cannot be searched. If the data is not there then no search will find it.