Splunk Search

How can I search the Splunk internal field _cd to return certain events?

badadata1
Explorer

How do I return events from searching the Splunk internal field _cd?

For example, the following are the _cd values. I need to get the underlying events:

0:313124421 0:313124433 0:313124445 0:313124457 0:313124469

I tried this, but does not work:

splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1

Are these values Splunk CIM values?

I also tried:

splunk_server=my-splunk index=main | `get_event_hash` | search event_hash=c8bb8cb52e3172fdcfe28d637a9c1a52 | head 1

The plan was to get an event using the event_hash from Notable results.

Tags (4)
0 Karma

gyslainlatsa
Motivator

hi badadata,
if _cd is already extracted field containing these values, and you want to return the events containing the values of this field you can try to run the following query:

splunk_server=my-splunk  index=main  _cd=* | head 1

or you can try to run this query for one specific value: splunk_server=my-splunk index=main | search _cd="0:313124421" | head 1

let me knows if it works.
please forgive my english.

0 Karma

maciep
Champion

When you say "Notable results" are you referring to the notables in Enterprise Security? If so, try running the notable macro in ES, the event_hash field should be populated in the results.

For the first example, I was able to run a very similar search to get an event using the _cd field, so I'm not sure what's wrong there. I did that outside of ES though.

0 Karma

badadata1
Explorer

@maciep so did this work for you to get an event

splunk_server=my-splunk index=main | search _cd=0:313124421 | head 1

or you did a differently. Somewhere I read _cd is not searchable only can filter
Can you post the query you did to get an event from main using _cd

From notable it is working, but not for standard events in main index

0 Karma

maciep
Champion

Yes, it did. We don't use the main index here, but it did work for me with a different index.

Another thing you can try is to create a new field and set it to _cd. Then search that one.

... | eval my_cd = _cd | search my_cd = "0:313124421"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...