Splunk Enterprise Security

metatada from index manipulation with aliases

pavlni
Engager

I wanted to use the metadata command to monitor the last time an IDS sensor fed in our index. Because we are using firesight and therefor estreamer everything feeds in a single host and the source is always "encore". To cheekily resolve that, I tried to alias on the heavy forwarder the sensor field to source (in the estreamer TA), and also on the search head thusly:

FIELDALIAS-estreamer_source = sensor AS source

after restarting the heavy forwarder process, the new data feeding is working as expected and when I |stats count by source now, I see all the sensors, like I wanted, yet when using the metadata command, I only see encore. I am querying for the past hour so I should be seeing the changed data.. but no cookie...

any advice would be much appreciated.

N

0 Karma
1 Solution

harrymclaren
Explorer

Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).

What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.

This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:

Hope this helps!

View solution in original post

harrymclaren
Explorer

Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).

What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.

This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:

Hope this helps!

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...