Since upgraded to Splunk version 7.2.3, some fields extractions aren’t showing on the searches properly. In particularly with “SplunkTAbluecoat-proxysg” the TA app for bluecoat proxy.
In this example I would like to focus on “httpuseragent” field. This was working just fine and could see data prior to upgrading.
FIELDALIAS-useragent = csUserAgent as httpuser_agent
Can you please assist us to figure this out and get the field extractions correct again?
The reason is that if you have not created the field first round but work after the second, that is an indicator of that conditions that weren't met in order to extract the fields the first time are now met during the second.
Please refer to the following URL for the information:
For the httpuseragent field, it is because the transforms.conf, it define the httpuseragent field instead of csUserAgent.
There is no csUserAgent field that being extracted in the transforms.conf.
If you change this httpuseragent to csUserAgent, this will extract csUserAgent along with its alias httpuseragent.
1) Why the previous version is not an issue with the alias name?
Indeed, in version 7.0.3, the alias works fine without the need to extract from the original field name.
2) Customer tested on one of the search head instance in the cluster, however it is not working after the configuration being applied.
As a general rule, for search head cluster, it is recommended to use the deployer for apps and configuration updates. This way eliminates the conflict with the run-time updates that the cluster replicates automatically. Thus directly editing a configuration file in one of the search head member is not the recommended. When you perform the apps and configuration update on one of the search head member, this could be conflicting with the runtime configuration.
"Caution: You must use the deployer, not the deployment server, to distribute apps to cluster members. Use of the deployer eliminates the possibility of conflict with the run-time updates that the cluster replicates automatically by means of the mechanism described in Configuration updates that the cluster replicates."
"Runtime changes or additions to knowledge objects, such as saved searches, lookup tables, and dashboards. For example, when a user in Splunk Web defines a field extraction, the cluster replicates that field extraction to all search heads in the cluster.”
"If you directly edit a configuration file, the cluster does not replicate it. Instead, you must use the deployer to distribute the file to all cluster members.”
I am not sure if this is the exact problem you are haivng, but if it really did work before and now doesn't you are probably having this problem:
The behaviour of field alias changed. See this thread for more detail: https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html
You can use coalesce to fix the problem. I can't see this tracked as a known issue, but I have a feeling it will be corrected soon (maybe?)