Splunk Enterprise Security

metatada from index manipulation with aliases

pavlni
Engager

I wanted to use the metadata command to monitor the last time an IDS sensor fed in our index. Because we are using firesight and therefor estreamer everything feeds in a single host and the source is always "encore". To cheekily resolve that, I tried to alias on the heavy forwarder the sensor field to source (in the estreamer TA), and also on the search head thusly:

FIELDALIAS-estreamer_source = sensor AS source

after restarting the heavy forwarder process, the new data feeding is working as expected and when I |stats count by source now, I see all the sensors, like I wanted, yet when using the metadata command, I only see encore. I am querying for the past hour so I should be seeing the changed data.. but no cookie...

any advice would be much appreciated.

N

0 Karma
1 Solution

harrymclaren
Explorer

Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).

What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.

This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:

Hope this helps!

View solution in original post

harrymclaren
Explorer

Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).

What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.

This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:

Hope this helps!

Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...