topic Re: Fields are not showing in Splunk Search

Fields are not showing

sasankganta — Thu, 11 Feb 2021 13:30:03 GMT

I have raw event like : time action severity host , etc.,

But when I checked interesting filed action filed is not showing. All the logs are related to mcafee getting from tcp:9997

Can some one please let me know what can be the issue and what actions can I take to correct this ?

Re: Fields are not showing

richgalloway — Thu, 11 Feb 2021 13:47:17 GMT

Are you searching in Verbose Mode?

Re: Fields are not showing

sasankganta — Thu, 11 Feb 2021 13:57:32 GMT

yes searching in verbose mode

Re: Fields are not showing

sasankganta — Thu, 11 Feb 2021 13:59:39 GMT

Tried in all search modes still the same issue, raw event is showing "action" , but interesting filed it's not showing action field

Re: Fields are not showing

gcusello — Thu, 11 Feb 2021 14:02:44 GMT

Hi @sasankganta,

Splunk automatically recognizes fields when they are in the format "field_name=field_value".

Otherwise you have to extract them and you have two choices:

use an Add-on that already contains all the field extractions (e.g. Splunk_TA_Windows);
manually extract all the fields you need.

there's a third choice if you have a csv or a json file, but it isn't your case.

Anyway, are you using an Add-on containing the field extractions?

if not, you have to create the fields extractions.

Ciao.

Giuseppe

Re: Fields are not showing

sasankganta — Thu, 11 Feb 2021 14:29:05 GMT

I don't think here i can extract fields , because it's a Intrusion detection system data model and we directly get mcafee logs from tcp:9997

Re: Fields are not showing

gcusello — Thu, 11 Feb 2021 15:16:39 GMT

Hi @sasankganta,

yes, you're receiving McAfee logs from tcp:9997 but after logs are indexed, you have to parse your logs to extract fields before archiving in Data Model.

Is there an app for McAfee in your Search Head?

If yes, try again your search inside this app.

Otherwise, you have to parse your logs.

Ciao.

Giuseppe

Re: Fields are not showing

scelikok — Thu, 11 Feb 2021 17:07:29 GMT

Hi @sasankganta,

Did you ingest McAfee logs using correct sourcetype that mentioned in the related app?

If these logs are from "McAfee ePO Syslog" your sourcetype should be "mcafee:epo:syslog". If you are ingesting using something other than this sourcetype, none of the extractions will work.

Can you please post a screenshot that shows your search, results and interesting fields?

Re: Fields are not showing

sasankganta — Wed, 17 Feb 2021 14:10:32 GMT

Hi scelikok

These are mcafee nsm logs not McAfee ePO Syslog

Re: Fields are not showing

scelikok — Wed, 17 Feb 2021 14:36:42 GMT

Hi @sasankganta,

What are you using as a sourcetype on data input? Can you please post a sample log ?

Re: Fields are not showing

sasankganta — Wed, 17 Feb 2021 16:11:54 GMT

Please find the sample log :

Feb 17 00:12:22 SyslogAuditLogForwarder: time="2021-02-17 00:12:22 BRT" domain="Serasa" category="Sensor" signature="Deploying updates to "spobripsgw02"." action="Set Deployment" result="succeeded" user="Administrator" comment="N/A" delta="N/A"
category = Sensorcribl_pipe = br_mnshost = 10.52.225.200ids_type = networkindex = eits_ips_prod_ussignature = Deploying updates tosource = tcp:9997sourcetype = mcafee:nsm

Re: Fields are not showing

sasankganta — Wed, 17 Feb 2021 16:15:51 GMT

Also , it would be a great help if you can suggest about undefined logs and what kind these are :

Feb 17 15:41:44 SyslogAlertForwarder: ....0;;; HTTP Host == 10.10.198.187:8080;;; HTTP Response Content Type == application/javascript Last-Modified: Tue, 26 Feb 2019 16:11:46 GMT;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm

Feb 17 15:41:07 SyslogAlertForwarder: ...P Response Content Type == application/octet-stream;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm