Splunk Search

How to find where an extracted field was created that appears in searches?

Communicator

Trying to find where a field was created that appears in a search against our BlueCoat proxy logs.

The field is s_supplier_ip. I have searched all of our indexers, heavy and light forwarders, and search heads using grep -r "s_supplier_ip". hoping the string was in a conf file somewhere, with no luck. All other fields that appear in the search output are in the forwarder distributed app on the Forwarders in transforms and props.conf, but s_supplier_ip shows up nowhere.

Why is this important? I need to know what logic was used to correlate the field s_supplier_ip with the IP's it has mapped to. I assumed that this mapping would be found in a conf files "somewhere" on one of our Splunk instances. Am I missing something obvious?

Thanks in advance

0 Karma

Ultra Champion

Please google BlueCoat proxy logs s_supplier_ip.

alt text

The s_supplier_ip field name is associated with the bluecoat log files..

0 Karma

Communicator

Apologies if not enough clarity, and thanks for the response.

This is already known, since s_supplier_ip shows up only when searching within the 'bluecoat' index. The real question is: Where is the "rule" (regex, query, other magic) that identifies the interesting content that populates the field s_supplier_ip? I can find all of the Bluecoat fields that show up in the query identified in props.conf and transforms.conf EXCEPT s_supplier_ip.

0 Karma

Ultra Champion

Interesting thing. Splunk Add-on for Blue Coat ProxySG

I wonder whether you use this Blue Coat Add-on...

0 Karma

Communicator

The initial collection point is a Heavy Forwarder and yes, the Blue Coat add-on is used. Searched through the Blue Coat directories specifically, and found no reference of s_supplier_ip. Just downloaded the App from SplunkBase and searched through the tgz contents as well. No reference.

Anybody else out there capturing Blue Coat logs have an event field of "s_supplier_ip?

0 Karma

Communicator

To refocus, what I am really looking for is: Where else in a heavily distributed Splunk environment could this setting be located, since I have grep'd all servers starting @ ../splunk/etc for s_supplier_ip (heavy forwarders, indexers, search heads, management svrs)

redacted screenshot @ https://goo.gl/dkUhQ6

0 Karma

Path Finder

Does the field appears in raw data?

0 Karma

Communicator

No, it does not appear in the raw data. Just to make sure, I executed a search, and exported the raw data. Not there. Also, I can specify the "field" of "s_supplier_ip" in a table and the output is presented as expected.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!