Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing fields extractions

franklinashokp
New Member
‎04-27-2017 05:19 AM

Hi All,

Recently we have moved all the splunk rules for alerting to another app,

after we moved few searched are not giving any results, for example the searches which are using a eventtype that contains facility and mnemonics doesnt give any result.

Below is one such example of an eventtype

Below are two example of event type

1) sourcetype=cisco_syslog facility=OSPF mnemonic=ADJCHG

2) sourcetype=cisco_syslog facility=BGP mnemonic=ADJCHANGE

I am not very sure but after searching on google, I understand the facility & mnemonic are the fields created to match the event, however after we changed the app to GNS_Alerting I couldn’t find these two in the fields extractions. May I check with you how to create the fields as most of the event types used for the alert rules are using these fields. If i removed the facility and mnemonic and just give the key words we see results.

Can please advise thanks

regards
Franklin

Tags (1)
0 Karma
Reply

dineshraj9
Builder
‎04-27-2017 05:36 AM

Check permissions on all knowledge object in the previous app. Either share them globally or move them to your new app for the searches to work again.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...