All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing source and sourcetype in selected and interesting fields

balmeida
Explorer
‎09-04-2019 03:49 AM

Hi,

Somehow, when the Linux Auditd Technology Add-On is installed on our SplunkCloud deployment, the source and sourcetype fields disappear from selected fields or interesting fields whenever a linux:audit event is present in the search results.

I can still use them in the search.

As soon as I disable the addon, the fields return

Assuming this search always contains linux:audit data, this is the behaviour I am seeing:

# Fields missing:
host=ip-10-231-16-14 index=test

# Fields missing:
host=ip-10-231-16-14 index=test sourcetype=linux:audit

# Fields appear correctly:
host=ip-10-231-16-14 index=test sourcetype!=linux:audit

I've never seen this kind of behaviour, any ideas what's going on?

Thanks

0 Karma
Reply

doksu
Contributor
‎09-04-2019 08:37 PM

@balmeida that's super weird. Thanks for bringing it to my attention. Could you please open a ticket with support as that sounds like a Splunk bug.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
li.common.scroll-to.top