Splunk Enterprise Security

Splunk ES Search - Sourcetype fields issue

realtimetechnol
Explorer

Hi, I wonder if anyone can help.

Running a search in Splunk search & reporting I see all the fields as required using the sourcetype, index, source etc.

Running the same search in ES (same search head), within the search and using the same search, I don't get all the same fields. Example being src_user, src_user_email.

The following are true:
Splunk TA is on both search heads
Permissions on the TA are Global and read is available to all
Using the same searches in verbose mode
Checked that there are no field aliases etc in the UI
This is a Splunk Cloud managed instance

Any help would be very much appreciated 🙂

Labels (2)
0 Karma

jkat54
SplunkTrust
SplunkTrust

What is the TA in question?

Here's how you configure ES to import TA's. (Hint;, it's not just by making them global)

https://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_...

0 Karma

realtimetechnol
Explorer

Hi jkat54,
If only I had access to the file system 😞 , this is a cloud (managed) deployment so unfortunately I only get to use the UI however, the TA's are on the SH for ES. This particular TA is the O365 Add-on https://splunkbase.splunk.com/app/4055/

Thanks for your help 🙂

0 Karma

DalJeanis
Legend

@realtimetechnology -

So, it seems like some of your fields are defined in the search app, but not within ES.

Quick test - go create a new app with nothing in it, and run the search there.

If your fields do NOT appear, then the extractions were defined within the search app and need to be exported to global. (The expected result.)

If your fields DO appear, then something in ES is overriding them. (Unexpected result, because it seems unlikely that ES has defined the same extraction in a way that conflicts, rather than merely adds.)

Let us know what you find, and we'll give you further debug steps.

0 Karma

realtimetechnol
Explorer

Hey DalJeanis,
Thanks for the response 🙂

Unfortunately I am unable to create apps on this SH as it is an ES SH under managed cloud 😞

I followed your thought process and looked at the source types producing some of the same fields, in this example I will use 'src_user'. Obviously there were loads as it is a CIM field, I then looked at what field aliases there were and again, lots of these exist and from many add-on's, I check global visibility and permissions, at this point I am going round in circles when I think what if I just create the field alias in the ES app - Wow!!, that worked but more interestingly is that all the other fields under the src* become available.

Not sure what is going on here but that has to be a bug? unless you have any ideas I will log it as a ticket and see if I get an explanation.

Thanks Again - 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...