Splunk Search

Fields are not showing

sasankganta
Path Finder

I have raw event like : time action severity host , etc., 

But when I checked interesting filed action filed is not showing. All the logs are related to  mcafee getting from tcp:9997

Can some one please let me know what can be the issue and what actions can I take to correct this ?

Labels (1)
Tags (1)
0 Karma

sasankganta
Path Finder

Also , it would be a great help if you can suggest about undefined logs and what kind these are : 

Feb 17 15:41:44 SyslogAlertForwarder: ....0;;; HTTP Host == 10.10.198.187:8080;;; HTTP Response Content Type == application/javascript Last-Modified: Tue, 26 Feb 2019 16:11:46 GMT;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm

 

Feb 17 15:41:07 SyslogAlertForwarder: ...P Response Content Type == application/octet-stream;;; "
cribl_pipe = uk_mnshost = undefinedids_type = networkindex = eits_ips_prod_ussource = tcp:9997sourcetype = mcafee:nsm

0 Karma

sasankganta
Path Finder

Please find the sample log :

 

Feb 17 00:12:22 SyslogAuditLogForwarder: time="2021-02-17 00:12:22 BRT" domain="Serasa" category="Sensor" signature="Deploying updates to "spobripsgw02"." action="Set Deployment" result="succeeded" user="Administrator" comment="N/A" delta="N/A"
category = Sensorcribl_pipe = br_mnshost = 10.52.225.200ids_type = networkindex = eits_ips_prod_ussignature = Deploying updates tosource = tcp:9997sourcetype = mcafee:nsm

0 Karma

sasankganta
Path Finder

Hi scelikok

These are mcafee nsm logs not McAfee ePO Syslog

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @sasankganta,

What are you using as a sourcetype on data input? Can you please post a sample log ?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @sasankganta,

Did you ingest McAfee logs using correct sourcetype that mentioned in the related app? 

If these logs are from "McAfee ePO Syslog" your sourcetype should be "mcafee:epo:syslog". If you are ingesting using something other than this sourcetype, none of the extractions will work.

Can you please post a screenshot that shows your search, results and interesting fields?

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

sasankganta
Path Finder

I don't think here i can extract fields , because it's a Intrusion detection system data model and we directly get mcafee logs from tcp:9997

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sasankganta,

yes, you're receiving McAfee logs from tcp:9997 but after logs  are indexed, you have to parse your logs to extract fields before archiving in Data Model.

Is there an app for McAfee in your Search Head?

If yes, try again your search inside this app.

Otherwise, you have to parse your logs.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @sasankganta,

Splunk automatically recognizes fields when they are in the format "field_name=field_value".

Otherwise you have to extract them and you have two choices:

  • use an Add-on that already contains all the field extractions (e.g. Splunk_TA_Windows);
  • manually extract all the fields you need.

there's a third choice if you have a csv or a json file, but it isn't your case.

Anyway, are you using an Add-on containing the field extractions?

if not, you have to create the fields extractions.

Ciao.

Giuseppe

0 Karma

sasankganta
Path Finder

Tried in all search modes still the same issue, raw event is showing "action"  , but interesting filed it's not showing action field

0 Karma

sasankganta
Path Finder

yes searching in verbose mode

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you searching in Verbose Mode?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...