Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where my Fields at in Splunk 7.0? (Homie!)

baegoon
Explorer
‎04-05-2018 12:04 PM

I've created some field extractions from sourcetypes such as syslog and access_common on my search head. These are all inline fields and most are regex based. When I perform a general search such as sourcetype=syslog I see all of my fields under "Interesting Fields" fine I even moved them up to 'Selected Fields" that works fine.

When I add to my search such as sourcetype=syslog internal_src_ip=10.89.X.X OR internal_src_ip=10.89.Y.Y my field extractions DO NOT show up. And I can't specify them in the command line I checked all configs such as permissions and nothing seems to be hindering that.

I have the same extractions in Splunk 6.5 and my field extractions do show up when I perform advanced searches and my field extractions do show up in the "Interesting Fields" and "Selected Fields".

So is this quirk? I have been in google and splunk answers recently so this is kinda tricky to search.

Any insight on this is greatly appreciated.

0 Karma
Reply

p_gurav
Champion
‎04-06-2018 12:07 AM

Are you searching in "Verbose mode"? Also you can check with "extract" command. One question, what you put in field extraction, can you give sample?

0 Karma
Reply

baegoon
Explorer
‎04-06-2018 03:10 AM

Yes I tested all the modes, fast, smart, and verbose.

THe field extraction is: (?i).*? (?P\w+.[a-z_-]+.\w+.\w+.\w+)(?= )

This extracts websites from CISCO syslogs.

0 Karma
Reply

p_gurav
Champion
‎04-06-2018 03:14 AM

can you please give me props.conf file

0 Karma
Reply

baegoon
Explorer
‎04-06-2018 03:21 AM

So the text field is muttering up the REGEX bellow not sure why. but after the ?P is sslsite

[cisco_syslog]
TZ = UTC
EXTRACT-sslsite = "(?i).*? (?P\w+.[a-z_-]+.\w+.\w+.\w+)(?= )"

0 Karma
Reply

p_gurav
Champion
‎04-06-2018 03:24 AM

Sorry but why you are searching sourcetype=syslog, you should search sourcetype= cisco_syslog

0 Karma
Reply

baegoon
Explorer
‎04-09-2018 05:46 AM

That was an example when I first started the question. I am using sourcetype=cisco_syslog.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...