Fields are not showing

sasankganta · ‎02-11-2021

I have raw event like : time action severity host , etc.,

But when I checked interesting filed action filed is not showing. All the logs are related to mcafee getting from tcp:9997

Can some one please let me know what can be the issue and what actions can I take to correct this ?

sasankganta · ‎02-17-2021

Also , it would be a great help if you can suggest about undefined logs and what kind these are :

Feb 17 15:41:44 SyslogAlertForwarder: ....0;;; HTTP Host == 10.10.198.187:8080;;; HTTP Response Content Type == application/javascript Last-Modified: Tue, 26 Feb 2019 16:11:46 GMT;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm

Feb 17 15:41:07 SyslogAlertForwarder: ...P Response Content Type == application/octet-stream;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm

sasankganta · ‎02-17-2021

Please find the sample log :

Feb 17 00:12:22 SyslogAuditLogForwarder: time="2021-02-17 00:12:22 BRT" domain="Serasa" category="Sensor" signature="Deploying updates to "spobripsgw02"." action="Set Deployment" result="succeeded" user="Administrator" comment="N/A" delta="N/A"
category = Sensorcribl_pipe = br_mnshost = 10.52.225.200ids_type = networkindex = eits_ips_prod_ussignature = Deploying updates tosource = tcp:9997sourcetype = mcafee:nsm

sasankganta · ‎02-17-2021

Hi scelikok

These are mcafee nsm logs not McAfee ePO Syslog

scelikok · ‎02-17-2021

Hi @sasankganta,

What are you using as a sourcetype on data input? Can you please post a sample log ?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎02-11-2021

Hi @sasankganta,

Did you ingest McAfee logs using correct sourcetype that mentioned in the related app?

If these logs are from "McAfee ePO Syslog" your sourcetype should be "mcafee:epo:syslog". If you are ingesting using something other than this sourcetype, none of the extractions will work.

Can you please post a screenshot that shows your search, results and interesting fields?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

sasankganta · ‎02-11-2021

I don't think here i can extract fields , because it's a Intrusion detection system data model and we directly get mcafee logs from tcp:9997

gcusello · ‎02-11-2021

Hi @sasankganta,

yes, you're receiving McAfee logs from tcp:9997 but after logs are indexed, you have to parse your logs to extract fields before archiving in Data Model.

Is there an app for McAfee in your Search Head?

If yes, try again your search inside this app.

Otherwise, you have to parse your logs.

Ciao.

Giuseppe

gcusello · ‎02-11-2021

Hi @sasankganta,

Splunk automatically recognizes fields when they are in the format "field_name=field_value".

Otherwise you have to extract them and you have two choices:

use an Add-on that already contains all the field extractions (e.g. Splunk_TA_Windows);
manually extract all the fields you need.

there's a third choice if you have a csv or a json file, but it isn't your case.

Anyway, are you using an Add-on containing the field extractions?

if not, you have to create the fields extractions.

Ciao.

Giuseppe

sasankganta · ‎02-11-2021

Tried in all search modes still the same issue, raw event is showing "action" , but interesting filed it's not showing action field

sasankganta · ‎02-11-2021

yes searching in verbose mode

richgalloway · ‎02-11-2021

Are you searching in Verbose Mode?

---
If this reply helps you, Karma would be appreciated.

Fields are not showing

search job inspector

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!