Dashboards & Visualizations

Why am I Unable to extract fields from package source type on (splunk_TA_*nix)app?

Anu
Path Finder

Hi,

I'm trying to create a report that has information about all the hosts with the kernel version and OpenSSL version and SSH version. The package.sh (sourcetype=package)script on the Splunk_TA_*nix app fetches all the information but the issue is I'm not able to extract fields from the  sourcetype=package.Any help is appreciated

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

I just try with my lab env and here this works as expected.

index=os_unix* sourcetype=package NAME IN (openssh*, kernel*)
| table NAME VERSION RELEASE
| dedup NAME VERSION RELEASE

I have installed TA nix on source system and also on my SH. 

View solution in original post

Anu
Path Finder

Thank you so much for the reply @gcusello  and @isoutamo . 

Please find the sample logs.

NAME VERSION RELEASE ARCH VENDOR GROUP
initscripts 10.00.18 1.el8 x86_64 Red Hat, Inc. Unspecified
fuse 2.9.7 16.el8 x86_64 Red Hat, Inc. Unspecified
libattr 2.4.48 3.el8 x86_64 Red Hat, Inc. Unspecified
xmlsec1-openssl 1.2.25 4.el8 x86_64 Red Hat, Inc. Unspecified
lua 5.3.4 12.el8 x86_64 CentOS Development/Languages
zip 3.0 23.el8 x86_64 Red Hat, Inc. Applications/Archiving
libidn2 2.2.0 1.el8 x86_64 Red Hat, Inc. Unspecified
popt 1.18 1.el8 x86_64 Red Hat, Inc. System Environment/Libraries
nimsoft-robot 9.33 1 x86_64 CA Technologies System/Daemons

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Anu,

did you extracted the logs?

if yes, you can use the search from @isoutamo, if not, you can add to this search a regex extraction:

index=os_unix* sourcetype=package NAME IN (openssh*, kernel*)
| rex "^(?<NAME>[^ ]+)\s+(?<VERSION>[^ ]+)\s+(?<RELEASE>[^ ]+)\s+"
| table NAME VERSION RELEASE
| dedup NAME VERSION RELEASE

Ciao.

Giuseppe

 

0 Karma

Anu
Path Finder

Hi @gcusello ,

yes, i  did try both queries but still no luck.

Anu_0-1692706390600.png

Thanks

Anu

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Anu ,

could you sshare some sample of your logs?

Ciao.

Giuseppe

0 Karma

Anu
Path Finder
 

@isoutamo  Can you please help

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

can you post what you have already try and also part of sample package events?

r. Ismo

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I just try with my lab env and here this works as expected.

index=os_unix* sourcetype=package NAME IN (openssh*, kernel*)
| table NAME VERSION RELEASE
| dedup NAME VERSION RELEASE

I have installed TA nix on source system and also on my SH. 

Anu
Path Finder

Yes i did install the app on sh too.

Tags (1)
0 Karma

Anu
Path Finder

@isoutamo  The query is not yielding any results in my environment. I suspect it is because the NAME field is not extracted.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Anu,

if you don't have the NAME field the main search will always not have results.

Anyway, good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

isoutamo
SplunkTrust
SplunkTrust

Have you installed TA..nix also on your search head and check that i5 has shared globally? 
Your index is probably something else than os_unix*? If you don’t know the name try

index=* sourcetype=package system OR openssh 

If you haven’t have TA…nix installed, you should install it onto SH too and share it globally. That will enable this and other field extractions, tag and eventtypes to your use.

Another option is use that rex which @gcusello predented.

0 Karma

Anu
Path Finder

Hi @isoutamo ,

I have installed the TA*nix app on search heads as well,my index is os.I can see the results when i do the basic search index=* sourcetype=package but when i add NAME IN i dont see any results.Attached the screenshots for reference.

Anu_0-1692786981777.png

 

 

Anu_1-1692787023919.png

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

And you have check that it's sharing is Global and status enabled?

isoutamo_0-1692787736151.png

When I look your output, it shows that your onboarding is not working correctly. Your query should return something like this

isoutamo_0-1692787946990.png

Please check that you have also this Splunk_TA_nix installed on your UF + Indexer / first full enterprise instance counting from UF. 

Anu
Path Finder

Hi ,

The query started working after upgrading the app to the 8.10 version.

 

@isoutamo , @gcusello Thank you for the help

Roy_9
Motivator

@Anu Can you double check the index name which you used while configuring this add-on?

if the index name is correct, give index=* and see if it fetches any results.

0 Karma

Anu
Path Finder

Hi @Roy_9 ,

 

Yes i do see results when i do the basic search with index and sourcetype .see above comment for more details.

 

Thanks

Anu

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...