Splunk Cloud Platform

Field extraction in Splunk Cloud In Not Showing Up the Whole Events

anandhalagaras1
Communicator

Hi Team,

We have deployed Splunk Cloud in our environment. So when I tried to extract the fields for Wineventlog source i.e. (Actually it is having more than 45 + Lines in it) but when i tried to extract the field using GUI it is not showing up the complete events. Instead I can see only 12 to 13 lines of the original event and the remaining lines are missing in the Field Extractions tab.

So how to show up all the events during the Field Extractions in Splunk Cloud Search head? Do we have any other options to extract the same. Since its a requirement to extract all the fields in those particular logs.

 

Hence Kindly help on the request.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The phrase "Splunk Cloud in our environment" is an anachronism.  The Splunk Cloud service exists only in Splunk's environment.  Any Splunk installation in your environment is not Splunk Cloud, but Splunk Enterprise.  So which do you really have?

How exactly did you try to extract fields?  Did you use an app/TA?  If so, which one(s)?   If you used your extraction method, please share the relevant props.conf and transforms.conf stanzas.

Are you using Verbose mode when you search?  If not, please try it to see how many fields are displayed.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anandhalagaras1
Communicator

@richgalloway ,

Thank you for your swift response.

The Search head, Cluster master and Indexers are managed by Splunk Support and its hosted in Cloud. Hence i would have used the term as "Splunk Cloud in our environment".

So coming back to my query I am currently trying to search the wineventlog in Verbose mode and I have tried to extract the fields via GUI by clicking the "Extract New Fields" so once it has been navigated to the next page out of 40+ Lines in an event I can only see 15+ lines  and not the full event. Hence I couldn't able to extract the relevant fields using delimiter option via GUI.

So if there is any option to display all the events while extracting the fields using GUI then it should be fine for us.

So kindly help on my request.

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I recommend using an app to do the field extraction for you.  There are several apps available on splunkbase that will process WinEventLog events.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anandhalagaras1
Communicator

Thank you will explore the same in Splunkbase.

If possible can you kindly provide  the appname which can able to extract the fields related to wineventlog so that i will submit a ticket with Splunk support to get it installed in our Splunk Cloud search head.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check out this app on your test instance https://splunkbase.splunk.com/app/742/

---
If this reply helps you, Karma would be appreciated.
0 Karma

anandhalagaras1
Communicator

Hi Team,

 

Can anyone help on my request.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
You posted your question and follow-up while most users (who are in the US) are still asleep. Please be patient.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...