Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Missing fields extractions

franklinashokp
New Member
‎04-27-2017 05:19 AM

Hi All,

Recently we have moved all the splunk rules for alerting to another app,

after we moved few searched are not giving any results, for example the searches which are using a eventtype that contains facility and mnemonics doesnt give any result.

Below is one such example of an eventtype

Below are two example of event type

1) sourcetype=cisco_syslog facility=OSPF mnemonic=ADJCHG

2) sourcetype=cisco_syslog facility=BGP mnemonic=ADJCHANGE

I am not very sure but after searching on google, I understand the facility & mnemonic are the fields created to match the event, however after we changed the app to GNS_Alerting I couldn’t find these two in the fields extractions. May I check with you how to create the fields as most of the event types used for the alert rules are using these fields. If i removed the facility and mnemonic and just give the key words we see results.

Can please advise thanks

regards
Franklin

Tags (1)
0 Karma
Reply

dineshraj9
Builder
‎04-27-2017 05:36 AM

Check permissions on all knowledge object in the previous app. Either share them globally or move them to your new app for the searches to work again.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...