Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

signature not searchable

trevlix
New Member
‎08-03-2011 12:55 PM

I have an odd problem. I just set up a splunk instance and its only monitoring local linux logs at the moment. The logs contain iptables logs that are feeding in correctly as I see the right fields (eventtype, signature, dst, dpt, src, action, etc.)

However, the odd thing is when I try to search on the eventtype or signature for iptables (eventtype=firewall-deny or signature=firewall), nothing comes back. This is despite the fact that when I hover over the signature field in the field discovery panel is shows 200+ events for signature=firewall.

I'm assuming the eventtype=firewall-deny is not working because it depends on signature working.

So, am I doing something wrong or is there something I need to do in order to get it working correctly?

Tags (2)
0 Karma
Reply

Unister
Explorer
‎06-13-2016 04:51 AM

I know my answer is a little late, but maybe it is helping someone else. If you started the search exactly like you showed, the or must be in uppercase:

eventtype=firewall-deny OR signature=firewall
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...