Solved: Managing new field extractions on the fly

aohls · ‎10-14-2020

Looking for insight as to how people manage when you have macros and other knowledge objects and new logs can get added without us knowing. We have a number of marcos and then a new log is added; which we do not always know, we can miss items due to the filtering within the macro/search on a field extraction. The logging standards are good but we just have new items.

I was thinking of doing a check of the field extractions to find differences through a quick search or some type of lookup; which can then be used to get dashboard items easier which we use a search for now.

isoutamo · ‎10-14-2020

The best practice is to define integration/ onboard process which needs to follow before logs can present on splunk.
Another way is create alert or dashboard where you could found new host + source which have added without your knowledge.
r. Ismo

View solution in original post

isoutamo · ‎10-14-2020

The best practice is to define integration/ onboard process which needs to follow before logs can present on splunk.
Another way is create alert or dashboard where you could found new host + source which have added without your knowledge.
r. Ismo

aohls · ‎10-16-2020

That is what should happen, unfortunately it doesn't always. I setup a morning report to present anything new to me.

Managing new field extractions on the fly

field extraction

other

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...