Re: Field extractions are incomplete for juniper

nathanluke86 · ‎11-19-2019

Hello,

We are extracting juniper logs using the Juniper addon and are getting random fields as pictured.

Could someone explain why this might be happening

DavidHourani · ‎11-19-2019

Hi @nathanluke86,

Are you on a distributed env ? If so where have you installed the ad-on ?

Search time components of the TA should go on the search head to get the cleanest extractions possible.

In your case it seems that the auto-extractions are grabbing lots of weird fields and polluting your field list. In order to disable it modify your local props.conf to include KV_MODE = none that way auto-extraction will be disabled.

More info here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Automatickey-valuefieldextractionsatsea...

Cheers,
David

nathanluke86 · ‎11-20-2019

Hi @DavidHourani

We are in a distributed env. I have checked props.conf and KV_MODE is set to none. The TA is installed on all forwarders and Search heads.

Thanks

DavidHourani · ‎11-20-2019

Are those fields showing over all time ? Click on one of the weird fields and check what the event looks like, wether its broken or not.

Also check if there are other places where the sourcetype might be grabbing its config from use btool to verify that.

nathanluke86 · ‎11-26-2019

The log is not complete when viewing these weird extractions

Thanks

Field extractions are incomplete for juniper

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?