Splunk Search

How to find where an extracted field was created that appears in searches?

tlmayes
Contributor

Trying to find where a field was created that appears in a search against our BlueCoat proxy logs.

The field is s_supplier_ip. I have searched all of our indexers, heavy and light forwarders, and search heads using grep -r "s_supplier_ip". hoping the string was in a conf file somewhere, with no luck. All other fields that appear in the search output are in the forwarder distributed app on the Forwarders in transforms and props.conf, but s_supplier_ip shows up nowhere.

Why is this important? I need to know what logic was used to correlate the field s_supplier_ip with the IP's it has mapped to. I assumed that this mapping would be found in a conf files "somewhere" on one of our Splunk instances. Am I missing something obvious?

Thanks in advance

0 Karma

ddrillic
Ultra Champion

Please google BlueCoat proxy logs s_supplier_ip.

alt text

The s_supplier_ip field name is associated with the bluecoat log files..

0 Karma

tlmayes
Contributor

Apologies if not enough clarity, and thanks for the response.

This is already known, since s_supplier_ip shows up only when searching within the 'bluecoat' index. The real question is: Where is the "rule" (regex, query, other magic) that identifies the interesting content that populates the field s_supplier_ip? I can find all of the Bluecoat fields that show up in the query identified in props.conf and transforms.conf EXCEPT s_supplier_ip.

0 Karma

ddrillic
Ultra Champion

Interesting thing. Splunk Add-on for Blue Coat ProxySG

I wonder whether you use this Blue Coat Add-on...

0 Karma

tlmayes
Contributor

The initial collection point is a Heavy Forwarder and yes, the Blue Coat add-on is used. Searched through the Blue Coat directories specifically, and found no reference of s_supplier_ip. Just downloaded the App from SplunkBase and searched through the tgz contents as well. No reference.

Anybody else out there capturing Blue Coat logs have an event field of "s_supplier_ip?

0 Karma

tlmayes
Contributor

To refocus, what I am really looking for is: Where else in a heavily distributed Splunk environment could this setting be located, since I have grep'd all servers starting @ ../splunk/etc for s_supplier_ip (heavy forwarders, indexers, search heads, management svrs)

redacted screenshot @ https://goo.gl/dkUhQ6

0 Karma

splunkton
Path Finder

Does the field appears in raw data?

0 Karma

tlmayes
Contributor

No, it does not appear in the raw data. Just to make sure, I executed a search, and exported the raw data. Not there. Also, I can specify the "field" of "s_supplier_ip" in a table and the output is presented as expected.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...