Trace a value in Splunk / data lineage

mihenn · ‎03-09-2020

Hi,

is there a way to trace the origin of a specific value in Slunk? Currently I am trying to figure out with eventtype, lookup or eval is setting a tag and a field value for some events in Splunk. I used the btool the figure out, if the are some evals. But they do not apply. I found some lookups, but these do not contain the value I am looking for.

A code trace or data lineage function would be very helpfull sometimes.
Does anyone know a function in Splunk or an app for this?

Thank you.

adonio · ‎03-10-2020

try to find the value for the sourcetype your event / data has
then run this search:

 | rest services/saved/sourcetypes 
 | search title=<your_sourcetype>

if the list is huge, you can use the command:

 | fieldsummary

look for the resutls and itll give you all the EVAL- REPORT- etc definitions for your fields

hope it helps

xavierashe · ‎03-09-2020

Have you look in the search inspector? Drill down into the properties. Sometimes I can figure out where things came from there.

mihenn · ‎03-09-2020

I checked on that, too. That's where I found out that a lookup is used. Unfortunately not which one. Finally I found the source on the searchhead by searching all lookups with find.

It would be nice to have a mouseover in Splunk, which shows if the value is from _raw or was modified.

Trace a value in Splunk / data lineage

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms