- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- My search parses all fields in the Search App, but...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I wrote this search that shows me when certain SSIDs are matched.
sourcetype=rogap SSID="*skynet*" OR SSID="*skymobile*" OR SSID="*skyguest*" | table src AP_name MAC SSID channelNumber location
All the fields in the search are correctly parsed in verbose mode. The search shows the correct results both in fast and verbose mode, but when I put it in a correlation search in Splunk Enterprise Security I have no results.
I modified the search to find the error. If I put this search:
sourcetype=rogap skynet | fields src AP_name MAC SSID channelNumber location | fillnull value=null | table src AP_name MAC SSID channelNumber location
I have a result, but all the fields are null.
src AP_name MAC SSID channelNumber location
null null null null null null
So I think the problem is that in the correlation search, Splunk can't check the SSID value and so it doesn't return any results.
How can I solve this problem?
I already tried to use |fields ....| with no results
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the name of the app that contains the extractions? Is it a Splunk Technology add-on or something custom? If it's custom you may need to look at the following in order to get it to work, I've bumped into that issue a couple times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the name of the app that contains the extractions? Is it a Splunk Technology add-on or something custom? If it's custom you may need to look at the following in order to get it to work, I've bumped into that issue a couple times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was a problem about the name of the custom app. I renamed it as TA- instead of HA- and now it works correctly. Many thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional info: i think the problem is that in the "Search & Reporting" App all fields are extracted correctly, but in Enterprise Security the log are not parsed. So i suppose that the correlation search can't find the fields like I described in my question.
Any idea about the reason of this behavior?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any field extraction setup for those fields and if yes, what is the sharing permissions on those?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, there is an app made for the fields extraction installed on the SH and the permissions are for all apps. If you want i could show you the .conf files that you need to check.
The strange think is that in the other apps the fields are extracted, but not in the Enterprise Security app.
Access Tokens Page - New & Improved
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
