Splunk Enterprise Security

Extracted field not showing up after creation, though it displays in "+ Extract New Fields"

justinw
Explorer

There have been questions similar to this in the past, and none of the fixes listed have fixed my issue. The created extraction shows up when trying to extract new fields through Splunk's "extract new fields" ability. The field does however not show up on the left for interesting fields, nor can it be used in search. The field should exist in all events, so the coverage should be 100% anyways.

I have created a field extraction to make NGINX data CIM compliant, with the first extraction pulling the IP (src) from the beginning of the data. The regex used is as follows:
^(?P[^ ]+)\s+
The permissions for this extraction is global. In an attempt to solve this issue I moved the context of it into the search and reporting app (search), but it was to no avail as the issue persists.

1 Solution

justinw
Explorer

I was able to find the issue to this problem. Splunk Add-on for Nginx is an app we installed to help with NGINX data. There were two field extractions that came with the add-on which were causing issues. The one being referenced here is the src alias:
nginxsourcetype : FIELDALIAS-nginx_src src_ip AS src No owner Splunk_TA_nginx Global | Permissions Enabled

The issue was that the extraction I was making was for ?P. The alias overwrote any extraction made, and removed the extractions from the search results.
To fix this issue, rename what you are extracting, what the alias is renamed to, or remove the alias entirely.

View solution in original post

justinw
Explorer

I was able to find the issue to this problem. Splunk Add-on for Nginx is an app we installed to help with NGINX data. There were two field extractions that came with the add-on which were causing issues. The one being referenced here is the src alias:
nginxsourcetype : FIELDALIAS-nginx_src src_ip AS src No owner Splunk_TA_nginx Global | Permissions Enabled

The issue was that the extraction I was making was for ?P. The alias overwrote any extraction made, and removed the extractions from the search results.
To fix this issue, rename what you are extracting, what the alias is renamed to, or remove the alias entirely.

bdgreene
New Member

Thanks! This was driving me crazy, but that's the solution! Tricky.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you running your search in verbose mode?

---
If this reply helps you, Karma would be appreciated.

justinw
Explorer

Yes. The field is also not able to be used within the search such as "| stats count by myfield"

gbeatty
Path Finder

Can you check that you don't have any apps or add-ons that are possibly changing that sourcetype? I had an issue yesterday that was very similar. The field I wanted was not extracted and after I manually extracted it would not show up in interesting fields. Turns out there was a conflict between *nix add-ons.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...