Deployment Architecture

Where my Fields at in Splunk 7.0? (Homie!)

baegoon
Explorer

I've created some field extractions from sourcetypes such as syslog and access_common on my search head. These are all inline fields and most are regex based. When I perform a general search such as sourcetype=syslog I see all of my fields under "Interesting Fields" fine I even moved them up to 'Selected Fields" that works fine.

When I add to my search such as sourcetype=syslog internal_src_ip=10.89.X.X OR internal_src_ip=10.89.Y.Y my field extractions DO NOT show up. And I can't specify them in the command line I checked all configs such as permissions and nothing seems to be hindering that.

I have the same extractions in Splunk 6.5 and my field extractions do show up when I perform advanced searches and my field extractions do show up in the "Interesting Fields" and "Selected Fields".

So is this quirk? I have been in google and splunk answers recently so this is kinda tricky to search.

Any insight on this is greatly appreciated.

0 Karma

p_gurav
Champion

Are you searching in "Verbose mode"? Also you can check with "extract" command. One question, what you put in field extraction, can you give sample?

0 Karma

baegoon
Explorer

Yes I tested all the modes, fast, smart, and verbose.

THe field extraction is: (?i).*? (?P\w+.[a-z_-]+.\w+.\w+.\w+)(?= )

This extracts websites from CISCO syslogs.

0 Karma

p_gurav
Champion

can you please give me props.conf file

0 Karma

baegoon
Explorer

So the text field is muttering up the REGEX bellow not sure why. but after the ?P is sslsite

[cisco_syslog]
TZ = UTC
EXTRACT-sslsite = "(?i).*? (?P\w+.[a-z_-]+.\w+.\w+.\w+)(?= )"

0 Karma

p_gurav
Champion

Sorry but why you are searching sourcetype=syslog, you should search sourcetype= cisco_syslog

0 Karma

baegoon
Explorer

That was an example when I first started the question. I am using sourcetype=cisco_syslog.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.