Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing fields extractions

franklinashokp
New Member
‎04-27-2017 05:19 AM

Hi All,

Recently we have moved all the splunk rules for alerting to another app,

after we moved few searched are not giving any results, for example the searches which are using a eventtype that contains facility and mnemonics doesnt give any result.

Below is one such example of an eventtype

Below are two example of event type

1) sourcetype=cisco_syslog facility=OSPF mnemonic=ADJCHG

2) sourcetype=cisco_syslog facility=BGP mnemonic=ADJCHANGE

I am not very sure but after searching on google, I understand the facility & mnemonic are the fields created to match the event, however after we changed the app to GNS_Alerting I couldn’t find these two in the fields extractions. May I check with you how to create the fields as most of the event types used for the alert rules are using these fields. If i removed the facility and mnemonic and just give the key words we see results.

Can please advise thanks

regards
Franklin

Tags (1)
0 Karma
Reply

dineshraj9
Builder
‎04-27-2017 05:36 AM

Check permissions on all knowledge object in the previous app. Either share them globally or move them to your new app for the searches to work again.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...