Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field mapping

a212830
Champion
‎09-02-2014 08:00 AM

Hi,

I have a question from one of my customers, and I'm not sure on the answer. Can anyone help me? We index bluecoat proxy logs and map fields, but they want to know if there is any way to validate that the mapping is working, or if the data isn't formatted properly.

Where Splunk internals are attempting to ingest log data (e.g. Bluecoat log data) – based on a configuration mapping –for an expected set of fields, and some of those fields are either

a) Not present in the raw data set being ingested or
b) Not the expected structure (too long / too short / not well formed, garbled etc.) – what happens in that case when Splunk fails to map – does Splunk log the mapping failure event somewhere ?

Any information you could provide on Splunk failure logging around field mapping when ingesting data would be useful for us when verifying how well Bluecoat log ingestion for Splunk is working.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-02-2014 12:46 PM

The field mapping is made at search time in almost all cases, so there is likely no point in logging that.

What you could do is to look at the field count for some field that is supposed to be in every event - for proxy logs I guess that clientip, http-status, time-taken or bytes (or field names with that intent) should be in every event. If you search for e.g.

sourcetype = bcoat_proxy NOT clientip=*

OR 

sourcetype = bcoat_proxy | head 1000 | stats c(bytes)

will give you an indication if the field extraction is working well.

/K

0 Karma
Reply

a212830
Champion
‎09-02-2014 03:20 PM

These field mappings are done at the indexer layer.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...