All Apps and Add-ons

User field is sometimes returning partial URL instead of User name

FunkyMcSplunky
New Member

Hi, I'm a new Splunk user and am using the TA-meraki tool downloaded from Spunkbase. Our appliance is a Meraki MX 100. We are using the free version of Splunk. As you can see from the attached screenshot, we are getting some strange results for the User field. In probably 80% of the logs, the user shows up correctly, however, sometimes it pulls a partial URL instead.

In the attached example, you can see that in the first log, the user=Rick which is correct. In the second log, the user=part of the url plus the user name. Splunk highlights the user field for Christy but then fills the User field with the wrong string.

Thanks for any help you can provide on this. Let me know if you need additional details. alt text

0 Karma
1 Solution

elliotproebstel
Champion

It looks to me like there is a field extraction (possibly a part of the TA, possibly from some other TA/config) that is looking for "name=" and assigning the value to the field user. You could try using btool to see which configuration is performing this extraction. I think you should be able to find it if you run this from the command line as the splunk user on your search head:

$SPLUNK_HOME/bin/splunk btool transforms list --debug
| grep -A 1 user
| grep -B 1 name

That should show all the transforms.conf extractions, filter it down to lines that contain "user" (plus the 1 line immediately after) - which will preserve the line defining a transform for the field "user" and the line immediately after, which contains the pattern. Then it filters those down to lines that contain "name" (which would be in the pattern), while preserving the line immediately before - which should necessarily contain "user" from the previous step.

View solution in original post

micahkemp
Champion

Looking at the contents of TA-meraki, I don't see anything that should have extracted that field in that way.

Can you paste your search string that gave those results?

0 Karma

FunkyMcSplunky
New Member

Sure my search string was:
sourcetype=meraki meraki_app="events-content_filtering_block"

0 Karma

elliotproebstel
Champion

It looks to me like there is a field extraction (possibly a part of the TA, possibly from some other TA/config) that is looking for "name=" and assigning the value to the field user. You could try using btool to see which configuration is performing this extraction. I think you should be able to find it if you run this from the command line as the splunk user on your search head:

$SPLUNK_HOME/bin/splunk btool transforms list --debug
| grep -A 1 user
| grep -B 1 name

That should show all the transforms.conf extractions, filter it down to lines that contain "user" (plus the 1 line immediately after) - which will preserve the line defining a transform for the field "user" and the line immediately after, which contains the pattern. Then it filters those down to lines that contain "name" (which would be in the pattern), while preserving the line immediately before - which should necessarily contain "user" from the previous step.

FunkyMcSplunky
New Member

Thanks for your help. I am going to have to look into that a bit more to understand what you are talking about.

0 Karma

elliotproebstel
Champion

Sure thing. Here's some documentation about btool, in case you aren't familiar with it:
http://docs.splunk.com/Documentation/Splunk/7.0.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

It's a great tool for debugging how Splunk is applying configurations. And this isn't the easiest Splunk topic to jump right into and digest, but it might be helpful to read about the order in which Splunk applies configuration settings:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

At its root, what you're seeing here is that Splunk is applying field extractions based on sourcetype, and there is likely another configuration file (beyond what's present in the TA-meraki add-on) that has a pre-defined field extraction that's taking precedence here. Presumably, you are running your search from within some app context (maybe even just the default search & reporting app). As you search, Splunk is applying all relevant field extractions for the sourcetype of the data being returned. If there is another app/add-on with field extractions for that sourcetype, and if that other app comes lexicographically before "TA-meraki", then the field extractions for that other app will take precedence. If you can locate the other app's field extraction definitions, we could potentially help you refine the regular expression that's stomping on your TA-meraki user extractions. The command line tool btool that Splunk provides is your best bet for locating that other extraction.

0 Karma

FunkyMcSplunky
New Member

Thanks for the follow up and for pointing me in the right direction. 🙂

0 Karma

elliotproebstel
Champion

Happy to help! If you are able to locate the troublesome extraction that's getting in your way, please do make a post about it. Lots of people around here love helping fix regular expressions (myself included, but I'm not one of the top performers in the field)!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...