Splunk Search

Hidden search criteria confusing my results

rmavery
Explorer

I'm trying to tweak a search to create an alert for it. I started with a pretty long search...


560 host="rhea" Object_Name="D:\Secure\HR\." NOT Object_Name="~$" NOT Object_Name="*.tmp" NOT "user=SYSTEM" Accesses="READ_CONTROL" OR Accesses="SYNCHRONIZE" OR Accesses="DELETE" | convert timeformat="%Y-%m-%d-%H:%M" ctime(_time) AS c_time | table c_time, Object_Name, User | dedup c_time Object_Name User | rename c_time AS Time Object_Name AS "File Accessed" | uniq


I put the . in the search to exclude folders, I only want to return access attempts to files.

When this kept returning folders, I started to tweak it down. I tried manually changing searches, and even clicking the keys in the web page to have it automatically add some criteria.

When I clicked 'User' and selected 'SYSTEM' all of my search results disappeared. I realized that this created conflicting criteria (User!="SYSTEM" and User="SYSTEM") so I manually deleted the second one. Still no results.

I removed criteria all the way down to Object_Name="D:\Secure\HR\." with a date range of last 30 days, and still no results (which there were plenty of results before, I was trying to narrow them down).

After considerable confusion, I clicked 'Actions' and 'Inspect Search Job' and the resulting page showed why there were no results.

This is what the search job inspector showed as the search...


search search EventCode="560" | search Object_Name="\Secure\HR\*." | search NOT User="SYSTEM" | dedup _time Object_Name User | convert timeformat="%Y-%m-%d-%H:%M:%S" ctime(_time) AS c_time | search User="SYSTEM" | table c_time, Object_Name, User | rename c_time AS Time Object_Name AS "File Accessed"


I couldn't see in my original page where all of the other criteria was hidden.

Is this a bug, or by design?

Tags (3)

rmavery
Explorer

I tried what you suggested with the 'ALT' and I also cannot reproduce it now. As a matter of fact, I left the previous browser window open with the '0' results, and just returned to that one and hit CTRL+F5 to flush the cache and it works now. I tried in Chrome and Firefox and cannot reproduce it there either.

0 Karma

rmavery
Explorer

I'm using 4.2.1 (98164). The browser (that I was using at the time) was IE 8. I didn't even think to try the other browsers. The search that I started with said 'flashtimeline' in the display view.

0 Karma

sideview
SplunkTrust
SplunkTrust

No that is definitely a bug. In fact there have been one or two other questions on answers that I think have a similar root cause. Some important questions -- What version of Splunk are you using, what browser are you using and is this the plain old "flashtimeline" view within the search app? Can you add those answers to your question?

Also can you reproduce it at will or does it only happen sometimes? I just tried these steps but I cannot get it to happen.

Run a search, click some terms, manually type in a fieldName="value", then use the sidebar to open the panel for fieldName, and ALT-click the value so there's both fieldName="value" and NOT fieldName="value", and then manually edit the search. I cant get the interface into an inconsistent state.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...