Solved: After upgrade to Splunk 6.2.1, why are fields no l...

hlarimer · ‎01-19-2015

I recently updated to Splunk Enterprise 6.2.1 and have noticed that my Palo Alto logs are no longer extracting fields when searching inside the Search app. When I go to the Palo Alto App and use sideview search, then the fields are extracted correctly.

Is this intended or is there a setting to change to extract fields in both locations?

hlarimer · ‎01-19-2015

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

View solution in original post

hlarimer · ‎01-19-2015

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

hlarimer · ‎01-19-2015

This was caused because I created a whole new app for Palo Alto and migrated my local folders but I forgot to move the local.meta file as well, which had these setting along with permission settings for the application. Self inflicted but I hope this thread helps someone!

After upgrade to Splunk 6.2.1, why are fields no longer extracted from Palo Alto logs when searching using the Search App?

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting