Splunk Search

Managing new field extractions on the fly

aohls
Contributor

Looking for insight as to how people manage when you have macros and other knowledge objects and new logs can get added without us knowing. We have a number of marcos and then a new log is added; which we do not always know, we can miss items due to the filtering within the macro/search on a field extraction. The logging standards are good but we just have new items. 

 

I was thinking of doing a check of the field extractions to find differences through a quick search or some type of lookup; which can then be used to get dashboard items easier which we use a search for now.

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust
The best practice is to define integration/ onboard process which needs to follow before logs can present on splunk.
Another way is create alert or dashboard where you could found new host + source which have added without your knowledge.
r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust
The best practice is to define integration/ onboard process which needs to follow before logs can present on splunk.
Another way is create alert or dashboard where you could found new host + source which have added without your knowledge.
r. Ismo

aohls
Contributor

That is what should happen, unfortunately it doesn't always. I setup a morning report to present anything new to me.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...