Archive
Highlighted

Fields & Field Aliases not getting used

Path Finder

I am using Splunk for Blue Coat and I have determined what fields need to be and what order they are in but when I put the list into the transforms.conf file and run a search some fields are left off.

FIELDS = "date", "time", "time_taken", "c_ip", "src_user", "user_group", "x_exception_id", "filter_result", "category", "http_referrer", "sc_status", "http_method", "action", "http_content_type", "uri_scheme", "dest_host", "dest_port", "uri_path", "uri_query", "uri_extension", "http_user_agent", "dvc_ip", "cs_bytes", "sc_bytes", "x_virus_id", "x_bc_app_name", "x_bc_app_op"

The problems occur at sc_status. This field does not pull into search for some reason. When I try and add it to by selected fields it shows up in the selected field list but not in the available fields list. I thought their might be some issues with aliases bc this field had an alias in the props.conf file so I commented it out but that did not fix the issue. Does anyone know whats going on here? -Thanks in advance.

Sample Event - Each line correlates to a field:

2013-01-30 
22:15:07 
698 
10.100.10.100 
USER
- 
- 
OBSERVED 
"Web Advertisements"
 -  
 200 
 TCP_NC_MISS 
 GET 
 text/html;%20charset=UTF-8 
 http 
 googleads.g.doubleclick.net 
 80 
 /pagead/ads 
 ?client=....Huge Long Query String...
 www.kpdirection.com 
 - 
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko)  Chrome/24.0.1312.56 Safari/537.17" 
101.111.11.10 
515 
1120 
- 
"none" 
"none"
Tags (2)
0 Karma
Highlighted

Re: Fields & Field Aliases not getting used

Legend

How do the other settings look? Also, can you show a sample event?

0 Karma
Highlighted

Re: Fields & Field Aliases not getting used

Path Finder

I have not adjusted any other settings. The main issues has been the data in each field. Which has been determined to be primarily bc the index fields were out of order with the input data. So i've just changed that and commented out the Aliases.

0 Karma
Highlighted

Re: Fields & Field Aliases not getting used

Path Finder

After restarting the server a few times, then running a couple of more searches the fields became available. I did have to comment out the aliases, so there is an issue there. Also, I had to had a place holder field that appears to account for an extra space in the event data.

View solution in original post

0 Karma