Splunk Search

Interesting fields generated from the AWS Add-On not showing up in Search&Reporting App



I have a CloudTrail data source feeding into the AWS Add-On app on a single-instance Splunk deployment.

If I go to the AWS app and do a search from within that app, Splunk is able to extract all the interesting fields and populate them into key-vaule pairs just fine.

However, I've built a dashboard using that data source and interesting fields in the S&R app and Splunk does not populate those same key-vaule pairs as it would in the AWS app.

The only way to extract those key-vaule pairs from within the S&R app is to do a 'spath' search which is not the best way to build the searches in the dashboard.

I've already checked the fields settings and it's showing all the AWS fields enabled globally in the permissions section.

Has anybody experienced this issue before, or have any ideas where to poke at to get the fields to be extracted globally?

Labels (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!