Splunk Search

Hidden search criteria confusing my results

rmavery
Explorer

I'm trying to tweak a search to create an alert for it. I started with a pretty long search...


560 host="rhea" Object_Name="D:\Secure\HR\." NOT Object_Name="~$" NOT Object_Name="*.tmp" NOT "user=SYSTEM" Accesses="READ_CONTROL" OR Accesses="SYNCHRONIZE" OR Accesses="DELETE" | convert timeformat="%Y-%m-%d-%H:%M" ctime(_time) AS c_time | table c_time, Object_Name, User | dedup c_time Object_Name User | rename c_time AS Time Object_Name AS "File Accessed" | uniq


I put the . in the search to exclude folders, I only want to return access attempts to files.

When this kept returning folders, I started to tweak it down. I tried manually changing searches, and even clicking the keys in the web page to have it automatically add some criteria.

When I clicked 'User' and selected 'SYSTEM' all of my search results disappeared. I realized that this created conflicting criteria (User!="SYSTEM" and User="SYSTEM") so I manually deleted the second one. Still no results.

I removed criteria all the way down to Object_Name="D:\Secure\HR\." with a date range of last 30 days, and still no results (which there were plenty of results before, I was trying to narrow them down).

After considerable confusion, I clicked 'Actions' and 'Inspect Search Job' and the resulting page showed why there were no results.

This is what the search job inspector showed as the search...


search search EventCode="560" | search Object_Name="\Secure\HR\*." | search NOT User="SYSTEM" | dedup _time Object_Name User | convert timeformat="%Y-%m-%d-%H:%M:%S" ctime(_time) AS c_time | search User="SYSTEM" | table c_time, Object_Name, User | rename c_time AS Time Object_Name AS "File Accessed"


I couldn't see in my original page where all of the other criteria was hidden.

Is this a bug, or by design?

Tags (3)

rmavery
Explorer

I tried what you suggested with the 'ALT' and I also cannot reproduce it now. As a matter of fact, I left the previous browser window open with the '0' results, and just returned to that one and hit CTRL+F5 to flush the cache and it works now. I tried in Chrome and Firefox and cannot reproduce it there either.

0 Karma

rmavery
Explorer

I'm using 4.2.1 (98164). The browser (that I was using at the time) was IE 8. I didn't even think to try the other browsers. The search that I started with said 'flashtimeline' in the display view.

0 Karma

sideview
SplunkTrust
SplunkTrust

No that is definitely a bug. In fact there have been one or two other questions on answers that I think have a similar root cause. Some important questions -- What version of Splunk are you using, what browser are you using and is this the plain old "flashtimeline" view within the search app? Can you add those answers to your question?

Also can you reproduce it at will or does it only happen sometimes? I just tried these steps but I cannot get it to happen.

Run a search, click some terms, manually type in a fieldName="value", then use the sidebar to open the panel for fieldName, and ALT-click the value so there's both fieldName="value" and NOT fieldName="value", and then manually edit the search. I cant get the interface into an inconsistent state.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...