Splunk Enterprise Security

Extracted field not showing up after creation, though it displays in "+ Extract New Fields"

Explorer

There have been questions similar to this in the past, and none of the fixes listed have fixed my issue. The created extraction shows up when trying to extract new fields through Splunk's "extract new fields" ability. The field does however not show up on the left for interesting fields, nor can it be used in search. The field should exist in all events, so the coverage should be 100% anyways.

I have created a field extraction to make NGINX data CIM compliant, with the first extraction pulling the IP (src) from the beginning of the data. The regex used is as follows:
^(?P[^ ]+)\s+
The permissions for this extraction is global. In an attempt to solve this issue I moved the context of it into the search and reporting app (search), but it was to no avail as the issue persists.

1 Solution

Explorer

I was able to find the issue to this problem. Splunk Add-on for Nginx is an app we installed to help with NGINX data. There were two field extractions that came with the add-on which were causing issues. The one being referenced here is the src alias:
nginxsourcetype : FIELDALIAS-nginx_src src_ip AS src No owner Splunk_TA_nginx Global | Permissions Enabled

The issue was that the extraction I was making was for ?P. The alias overwrote any extraction made, and removed the extractions from the search results.
To fix this issue, rename what you are extracting, what the alias is renamed to, or remove the alias entirely.

View solution in original post

Explorer

I was able to find the issue to this problem. Splunk Add-on for Nginx is an app we installed to help with NGINX data. There were two field extractions that came with the add-on which were causing issues. The one being referenced here is the src alias:
nginxsourcetype : FIELDALIAS-nginx_src src_ip AS src No owner Splunk_TA_nginx Global | Permissions Enabled

The issue was that the extraction I was making was for ?P. The alias overwrote any extraction made, and removed the extractions from the search results.
To fix this issue, rename what you are extracting, what the alias is renamed to, or remove the alias entirely.

View solution in original post

New Member

Thanks! This was driving me crazy, but that's the solution! Tricky.

0 Karma

SplunkTrust
SplunkTrust

Are you running your search in verbose mode?

---
If this reply helps you, an upvote would be appreciated.

Explorer

Yes. The field is also not able to be used within the search such as "| stats count by myfield"

Explorer

Can you check that you don't have any apps or add-ons that are possibly changing that sourcetype? I had an issue yesterday that was very similar. The field I wanted was not extracted and after I manually extracted it would not show up in interesting fields. Turns out there was a conflict between *nix add-ons.

0 Karma