Splunk Enterprise Security

metatada from index manipulation with aliases

pavlni
Engager

I wanted to use the metadata command to monitor the last time an IDS sensor fed in our index. Because we are using firesight and therefor estreamer everything feeds in a single host and the source is always "encore". To cheekily resolve that, I tried to alias on the heavy forwarder the sensor field to source (in the estreamer TA), and also on the search head thusly:

FIELDALIAS-estreamer_source = sensor AS source

after restarting the heavy forwarder process, the new data feeding is working as expected and when I |stats count by source now, I see all the sensors, like I wanted, yet when using the metadata command, I only see encore. I am querying for the past hour so I should be seeing the changed data.. but no cookie...

any advice would be much appreciated.

N

0 Karma
1 Solution

harrymclaren
Explorer

Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).

What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.

This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:

Hope this helps!

View solution in original post

harrymclaren
Explorer

Based on my understanding of the metadata command, it is only able to report based on 'indexed fields'. This would not include anything added at search time (such a field aliases).

What might work (and this should be carefully tested) is changing the source filed at ingest on the HF using props.conf and transforms.conf.

This will take extra compute, but examples for a similar use case can be found here, and some other docs for reference too:

Hope this helps!

Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...