I wrote this search that shows me when certain SSIDs are matched.
sourcetype=rogap SSID="*skynet*" OR SSID="*skymobile*" OR SSID="*skyguest*" | table src AP_name MAC SSID channelNumber location
All the fields in the search are correctly parsed in verbose mode. The search shows the correct results both in fast and verbose mode, but when I put it in a correlation search in Splunk Enterprise Security I have no results.
I modified the search to find the error. If I put this search:
sourcetype=rogap skynet | fields src AP_name MAC SSID channelNumber location | fillnull value=null | table src AP_name MAC SSID channelNumber location
I have a result, but all the fields are
src AP_name MAC SSID channelNumber location null null null null null null
So I think the problem is that in the correlation search, Splunk can't check the SSID value and so it doesn't return any results.
How can I solve this problem?
I already tried to use
|fields ....| with no results
Additional info: i think the problem is that in the "Search & Reporting" App all fields are extracted correctly, but in Enterprise Security the log are not parsed. So i suppose that the correlation search can't find the fields like I described in my question.
Any idea about the reason of this behavior?
Is there any field extraction setup for those fields and if yes, what is the sharing permissions on those?
Yes, there is an app made for the fields extraction installed on the SH and the permissions are for all apps. If you want i could show you the .conf files that you need to check.
The strange think is that in the other apps the fields are extracted, but not in the Enterprise Security app.
What is the name of the app that contains the extractions? Is it a Splunk Technology add-on or something custom? If it's custom you may need to look at the following in order to get it to work, I've bumped into that issue a couple times.
It was a problem about the name of the custom app. I renamed it as TA- instead of HA- and now it works correctly. Many thanks.