Splunk Search

Field extractions aren’t working as expected since upgraded to 7.2.3

rsantoso_splunk
Splunk Employee
Splunk Employee

Since upgraded to Splunk version 7.2.3, some fields extractions aren’t showing on the searches properly. In particularly with “Splunk_TA_bluecoat-proxysg” the TA app for bluecoat proxy.

In this example I would like to focus on “http_user_agent” field. This was working just fine and could see data prior to upgrading.

[bluecoat:proxysg:tcp]
FIELDALIAS-user_agent = cs_User_Agent as http_user_agent

Can you please assist us to figure this out and get the field extractions correct again?

Tags (1)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

I am not sure if this is the exact problem you are haivng, but if it really did work before and now doesn't you are probably having this problem:

The behaviour of field alias changed. See this thread for more detail: https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html

You can use coalesce to fix the problem. I can't see this tracked as a known issue, but I have a feeling it will be corrected soon (maybe?)

View solution in original post

chrisyounger
SplunkTrust
SplunkTrust

I am not sure if this is the exact problem you are haivng, but if it really did work before and now doesn't you are probably having this problem:

The behaviour of field alias changed. See this thread for more detail: https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html

You can use coalesce to fix the problem. I can't see this tracked as a known issue, but I have a feeling it will be corrected soon (maybe?)

rsantoso_splunk
Splunk Employee
Splunk Employee

The reason is that if you have not created the field first round but work after the second, that is an indicator of that conditions that weren't met in order to extract the fields the first time are now met during the second.

Please refer to the following URL for the information:
https://answers.splunk.com/answers/118900/extract-reload-true-required-always.html

An example:

For the http_user_agent field, it is because the transforms.conf, it define the http_user_agent field instead of cs_User_Agent.

There is no cs_User_Agent field that being extracted in the transforms.conf.

If you change this http_user_agent to cs_User_Agent, this will extract cs_User_Agent along with its alias http_user_agent.

1) Why the previous version is not an issue with the alias name?

Indeed, in version 7.0.3, the alias works fine without the need to extract from the original field name.

2) Customer tested on one of the search head instance in the cluster, however it is not working after the configuration being applied.

As a general rule, for search head cluster, it is recommended to use the deployer for apps and configuration updates. This way eliminates the conflict with the run-time updates that the cluster replicates automatically. Thus directly editing a configuration file in one of the search head member is not the recommended. When you perform the apps and configuration update on one of the search head member, this could be conflicting with the runtime configuration.

"Caution: You must use the deployer, not the deployment server, to distribute apps to cluster members. Use of the deployer eliminates the possibility of conflict with the run-time updates that the cluster replicates automatically by means of the mechanism described in Configuration updates that the cluster replicates."
https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/PropagateSHCconfigurationchanges

"Runtime changes or additions to knowledge objects, such as saved searches, lookup tables, and dashboards. For example, when a user in Splunk Web defines a field extraction, the cluster replicates that field extraction to all search heads in the cluster.”
https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/HowconfrepoworksinSHC

"If you directly edit a configuration file, the cluster does not replicate it. Instead, you must use the deployer to distribute the file to all cluster members.”
https://docs.splunk.com/Documentation/Splunk/7.2.3/DistSearch/HowconfrepoworksinSHC

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...