Splunk Enterprise Security

My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

splunk_cv
Explorer

Hi all,

I wrote this search that shows me when certain SSIDs are matched.

sourcetype=rogap SSID="*skynet*" OR SSID="*skymobile*" OR SSID="*skyguest*" | table src AP_name MAC SSID channelNumber location 

All the fields in the search are correctly parsed in verbose mode. The search shows the correct results both in fast and verbose mode, but when I put it in a correlation search in Splunk Enterprise Security I have no results.

I modified the search to find the error. If I put this search:

sourcetype=rogap skynet | fields src AP_name MAC SSID channelNumber location | fillnull value=null  | table src AP_name MAC SSID channelNumber location

I have a result, but all the fields are null.

src   AP_name  MAC   SSID  channelNumber  location
null  null     null  null  null           null

So I think the problem is that in the correlation search, Splunk can't check the SSID value and so it doesn't return any results.

How can I solve this problem?
I already tried to use |fields ....| with no results

Thanks

0 Karma
1 Solution

ryanoconnor
Builder

What is the name of the app that contains the extractions? Is it a Splunk Technology add-on or something custom? If it's custom you may need to look at the following in order to get it to work, I've bumped into that issue a couple times.

http://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

View solution in original post

0 Karma

ryanoconnor
Builder

What is the name of the app that contains the extractions? Is it a Splunk Technology add-on or something custom? If it's custom you may need to look at the following in order to get it to work, I've bumped into that issue a couple times.

http://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

0 Karma

splunk_cv
Explorer

It was a problem about the name of the custom app. I renamed it as TA- instead of HA- and now it works correctly. Many thanks.

0 Karma

splunk_cv
Explorer

Additional info: i think the problem is that in the "Search & Reporting" App all fields are extracted correctly, but in Enterprise Security the log are not parsed. So i suppose that the correlation search can't find the fields like I described in my question.

Any idea about the reason of this behavior?

Thanks

0 Karma

somesoni2
Revered Legend

Is there any field extraction setup for those fields and if yes, what is the sharing permissions on those?

0 Karma

splunk_cv
Explorer

Yes, there is an app made for the fields extraction installed on the SH and the permissions are for all apps. If you want i could show you the .conf files that you need to check.

The strange think is that in the other apps the fields are extracted, but not in the Enterprise Security app.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...