Hi,
Somehow, when the Linux Auditd Technology Add-On is installed on our SplunkCloud deployment, the source and sourcetype fields disappear from selected fields or interesting fields whenever a linux:audit event is present in the search results.
I can still use them in the search.
As soon as I disable the addon, the fields return
Assuming this search always contains linux:audit data, this is the behaviour I am seeing:
# Fields missing:
host=ip-10-231-16-14 index=test
# Fields missing:
host=ip-10-231-16-14 index=test sourcetype=linux:audit
# Fields appear correctly:
host=ip-10-231-16-14 index=test sourcetype!=linux:audit
I've never seen this kind of behaviour, any ideas what's going on?
Thanks
@balmeida that's super weird. Thanks for bringing it to my attention. Could you please open a ticket with support as that sounds like a Splunk bug.