Splunk Enterprise Security

Enterprise Security: What are the extraction fields?


We wonder what the identity, Asset, File and URL Extraction fields are in the Notable set-up of the correlation search.

alt text

0 Karma


If the Identity and Asset extraction features pull their information from the assets/identities lookup tables where does the File and URL extraction features pull their information from?

0 Karma


Those fields are where you tell the Notable where to find fields of each type. That is, the fields it should use for Identity information are 'src_user', and 'user'; the fields containing Asset information are 'src', 'dest', 'dvc', and 'orig_host'; and so on.

If this reply helps you, an upvote would be appreciated.
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!