Splunk Enterprise Security

Splunk ES Search - Sourcetype fields issue


Hi, I wonder if anyone can help.

Running a search in Splunk search & reporting I see all the fields as required using the sourcetype, index, source etc.

Running the same search in ES (same search head), within the search and using the same search, I don't get all the same fields. Example being src_user, src_user_email.

The following are true:
Splunk TA is on both search heads
Permissions on the TA are Global and read is available to all
Using the same searches in verbose mode
Checked that there are no field aliases etc in the UI
This is a Splunk Cloud managed instance

Any help would be very much appreciated 🙂

Labels (2)
0 Karma


What is the TA in question?

Here's how you configure ES to import TA's. (Hint;, it's not just by making them global)


0 Karma


Hi jkat54,
If only I had access to the file system 😞 , this is a cloud (managed) deployment so unfortunately I only get to use the UI however, the TA's are on the SH for ES. This particular TA is the O365 Add-on https://splunkbase.splunk.com/app/4055/

Thanks for your help 🙂

0 Karma


@realtimetechnology -

So, it seems like some of your fields are defined in the search app, but not within ES.

Quick test - go create a new app with nothing in it, and run the search there.

If your fields do NOT appear, then the extractions were defined within the search app and need to be exported to global. (The expected result.)

If your fields DO appear, then something in ES is overriding them. (Unexpected result, because it seems unlikely that ES has defined the same extraction in a way that conflicts, rather than merely adds.)

Let us know what you find, and we'll give you further debug steps.

0 Karma


Hey DalJeanis,
Thanks for the response 🙂

Unfortunately I am unable to create apps on this SH as it is an ES SH under managed cloud 😞

I followed your thought process and looked at the source types producing some of the same fields, in this example I will use 'src_user'. Obviously there were loads as it is a CIM field, I then looked at what field aliases there were and again, lots of these exist and from many add-on's, I check global visibility and permissions, at this point I am going round in circles when I think what if I just create the field alias in the ES app - Wow!!, that worked but more interestingly is that all the other fields under the src* become available.

Not sure what is going on here but that has to be a bug? unless you have any ideas I will log it as a ticket and see if I get an explanation.

Thanks Again - 🙂

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...