Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

field mapping

a212830
Champion
‎09-02-2014 08:00 AM

Hi,

I have a question from one of my customers, and I'm not sure on the answer. Can anyone help me? We index bluecoat proxy logs and map fields, but they want to know if there is any way to validate that the mapping is working, or if the data isn't formatted properly.

Where Splunk internals are attempting to ingest log data (e.g. Bluecoat log data) – based on a configuration mapping –for an expected set of fields, and some of those fields are either

a) Not present in the raw data set being ingested or
b) Not the expected structure (too long / too short / not well formed, garbled etc.) – what happens in that case when Splunk fails to map – does Splunk log the mapping failure event somewhere ?

Any information you could provide on Splunk failure logging around field mapping when ingesting data would be useful for us when verifying how well Bluecoat log ingestion for Splunk is working.

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-02-2014 12:46 PM

The field mapping is made at search time in almost all cases, so there is likely no point in logging that.

What you could do is to look at the field count for some field that is supposed to be in every event - for proxy logs I guess that clientip, http-status, time-taken or bytes (or field names with that intent) should be in every event. If you search for e.g.

sourcetype = bcoat_proxy NOT clientip=*

OR 

sourcetype = bcoat_proxy | head 1000 | stats c(bytes)

will give you an indication if the field extraction is working well.

/K

0 Karma
Reply

a212830
Champion
‎09-02-2014 03:20 PM

These field mappings are done at the indexer layer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...