Hello!
Using the props.conf with no modifications, the field aliases for sourcetype hx_cef_syslog are not working.
For example, the field in my event:
dmac = 00:22:44:66:88:aa
Yet defined in props.conf under the [hx_cef_syslog] stanza is:
FIELDALIAS-src_mac_for_fireeye = dmac as src_mac
Another example which fails to work: FIELDALIAS-src_for_fireeye = dst as src
- this has no effect on the fields in events returned at search-time. Commenting out the lines has no effect either.
App is installed on both search head and indexers, regex extractions look to be working ok, it's just field aliases which are failing
Thanks.
We have a Splunk PS consultant on site this week, and he's managed to identify what was going wrong.
The field extractions we saw which were working were simply because of the automatic KV mode operating; the FireEye TA was being ignored. This was due to permissions on the TA itself not allowing search or ES to access the TA:
Under Manage Apps:
Find the FireEye app
Click Permissions:
Under: Sharing for config file-only objects
Change it from “This app only (system)” to “All apps”
This makes all of the knowledge objects available to other applications, including Search and Enterprise Security.
Obviously more granular permissions can be set if desired.
Hope this helps someone else struggling with the same issue.
G.
Same issue for me on single Splunk v6.6.3 instance (SH and Indexer on single Server) with FireEye App for Splunk Enterprise v3.1.1.
If I try search in FireEye App, fieldalias doesn't work, so dashboards not populated correctly.
When I try search in Splunk default search App, all fieldalias extracting correctly.
I've tried setting global permission on App with no chance.
Any suggestion?
Regards
So it turns out that you need to do Field Aliasing on Indexers rather than on Search Heads.
Previously I was adding Field Aliases on Search Heads for the Fire-Eye App, as my all other Aliases are defined on Search heads, but only the FE field aliases weren't working.
With the help of Tony, figured out that if we do Field Aliasing on indexers then it works as normal.
Posted the solution, just in-case if someone looks for it in future.
Thanks Tony for the help.
-Fatema.
We have a Splunk PS consultant on site this week, and he's managed to identify what was going wrong.
The field extractions we saw which were working were simply because of the automatic KV mode operating; the FireEye TA was being ignored. This was due to permissions on the TA itself not allowing search or ES to access the TA:
Under Manage Apps:
Find the FireEye app
Click Permissions:
Under: Sharing for config file-only objects
Change it from “This app only (system)” to “All apps”
This makes all of the knowledge objects available to other applications, including Search and Enterprise Security.
Obviously more granular permissions can be set if desired.
Hope this helps someone else struggling with the same issue.
G.
This didn't work for me.
Tried to change this setting on both - search heads with the app and indexers with TA.
I am trying to alias a field in FE events src_ip to clientip without any success. Also, I have calculated field as 'clientip' for other eventtypes and it works perfectly as expected. Any ideas why it isn't working for FE app?
There are probably too many moving parts in play to troubleshoot via Splunk Answers. Shoot me an email via the help -> send feedback option in the FireEye Splunk app and we can troubleshoot it via email or webex and post the answer back here.
Please include the following information:
- Brief description of Splunk configuration (Types of forwarders, number of indexers, and search heads)
- Where you have the FireEye app and FireEye TA installed
- Do you have ES installed on the same search head?
- Description of what you are trying to accomplish
Thanks,
-Tony
Hi Tony,
Just shot you an email with the information required.
Thanks.
Fatema.
Hello
Just to check, you've updated the permissions as described?
Also, are other field aliases working? A good test is looking for the field "action" which is aliased from "act" in the original event.
Thanks.
I have updated the permissions on FE app on Search Heads as well as the permissions on _cluster under manage apps on indexers (as that's where the FE app TA is installed, couldn't see the explicit TA on the manage apps page).
Thanks.
Thank you for posting the answer. Let us know if you run into any issues after using it for a while.
Please use the Help -> Send Feedback feature and we can set up a WebEx to troubleshoot. Then we will post the answer here.
Thanks for the prompt reply! Will do