Re: Missing fields on Splunk data export & import

CSReviews · ‎04-28-2024

I have one Splunk instance where I ran a search and exported the data in a csv file, xml file, and a raw file. The data contained is mostly Windows event logs, "process command line", "creator process", ect.

I am trying to import this data into another Splunk instance. When the data is imported, I noticed some fields are missing, like "process command line". I tried each file type and had no success. I also reviewed the data in the fields and all of the fields and values are present.

Essentially, I am trying to import data similar to Splunk BOTS

GitHub - splunk/botsv3: Splunk Boss of the SOC version 3 dataset.

gcusello · ‎04-28-2024

Hi @CSReviews ,

as @marnall said, running a search, yu probably modify the raw data.

to export data. the best approach is to run a search without table command, only the main search and then export data in raw format.

There's only one issue: you have to run this search separating events fo index, sourcetype and host, and then import data assigning the correct values, otherwise you cannot assign the correct values to these fields.

Ciao.

Giuseppe

marnall · ‎04-28-2024

If I understand you correctly, you are exporting the results of a search, then importing it in another Splunk instance as new data? This would definitely alter the fields. The exporting of search results is not intended as a method to move data unchanged from one Splunk instance to another.

Are you trying to import BOTS data or to package indexed data in a manner similar to the BOTS data?

Missing fields on Splunk data export & import

universal forwarder

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!