Splunk Enterprise Security
Highlighted

My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

Explorer

Hi all,

I wrote this search that shows me when certain SSIDs are matched.

sourcetype=rogap SSID="*skynet*" OR SSID="*skymobile*" OR SSID="*skyguest*" | table src AP_name MAC SSID channelNumber location 

All the fields in the search are correctly parsed in verbose mode. The search shows the correct results both in fast and verbose mode, but when I put it in a correlation search in Splunk Enterprise Security I have no results.

I modified the search to find the error. If I put this search:

sourcetype=rogap skynet | fields src AP_name MAC SSID channelNumber location | fillnull value=null  | table src AP_name MAC SSID channelNumber location

I have a result, but all the fields are null.

src   AP_name  MAC   SSID  channelNumber  location
null  null     null  null  null           null

So I think the problem is that in the correlation search, Splunk can't check the SSID value and so it doesn't return any results.

How can I solve this problem?
I already tried to use |fields ....| with no results

Thanks

0 Karma
Highlighted

Re: My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

Explorer

Additional info: i think the problem is that in the "Search & Reporting" App all fields are extracted correctly, but in Enterprise Security the log are not parsed. So i suppose that the correlation search can't find the fields like I described in my question.

Any idea about the reason of this behavior?

Thanks

0 Karma
Highlighted

Re: My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

SplunkTrust
SplunkTrust

Is there any field extraction setup for those fields and if yes, what is the sharing permissions on those?

0 Karma
Highlighted

Re: My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

Explorer

Yes, there is an app made for the fields extraction installed on the SH and the permissions are for all apps. If you want i could show you the .conf files that you need to check.

The strange think is that in the other apps the fields are extracted, but not in the Enterprise Security app.

0 Karma
Highlighted

Re: My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

Builder

What is the name of the app that contains the extractions? Is it a Splunk Technology add-on or something custom? If it's custom you may need to look at the following in order to get it to work, I've bumped into that issue a couple times.

http://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

View solution in original post

0 Karma
Highlighted

Re: My search parses all fields in the Search App, but why do I get null results putting it in a Splunk Enterprise Security correlation search?

Explorer

It was a problem about the name of the custom app. I renamed it as TA- instead of HA- and now it works correctly. Many thanks.

0 Karma