Event Forwarding Not Extracting Fields with Saved ...

4A616D6573 · ‎07-12-2019

Hi,

I've setup the Phantom App for Splunk and API is connected successfully. So far I've set up some test Saved Search Exports however the CEF extractions don't work, every time I try I get the message:

No matching results found. Configuration has been saved.

So far I have extractions setup for:

username > sourceUser > user name
src_ip > sourceAddress > ip

I can see these fields in the search in Splunk but they wont show in the preview. Any ideas?

JDown3 · ‎07-20-2019

In your alert/saved search, do you specify fields to output? (i.e. | fields username, src_ip)

I had to do this for my alert to trigger and for the fields to show up in event forwarding > new saved search export, after clicking 'auto-extract fields'.

4A616D6573 · ‎07-21-2019

Hi JDown3,

I had not done this. Auto-extacted fields now work which is nice to know but I still don't get any extracted results from the preview.

megshyle · ‎01-10-2020

I have the same issue. Update please if you have a solution. thank you

JDown3 · ‎07-21-2019

Hi @4A616D6573,

It is the same for me, trying to fix it, let me know if you do. Thanks.

Event Forwarding Not Extracting Fields with Saved Search Exports

configuration

troubleshooting

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!