Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing fields extractions

franklinashokp
New Member
‎04-27-2017 05:19 AM

Hi All,

Recently we have moved all the splunk rules for alerting to another app,

after we moved few searched are not giving any results, for example the searches which are using a eventtype that contains facility and mnemonics doesnt give any result.

Below is one such example of an eventtype

Below are two example of event type

1) sourcetype=cisco_syslog facility=OSPF mnemonic=ADJCHG

2) sourcetype=cisco_syslog facility=BGP mnemonic=ADJCHANGE

I am not very sure but after searching on google, I understand the facility & mnemonic are the fields created to match the event, however after we changed the app to GNS_Alerting I couldn’t find these two in the fields extractions. May I check with you how to create the fields as most of the event types used for the alert rules are using these fields. If i removed the facility and mnemonic and just give the key words we see results.

Can please advise thanks

regards
Franklin

Tags (1)
0 Karma
Reply

dineshraj9
Builder
‎04-27-2017 05:36 AM

Check permissions on all knowledge object in the previous app. Either share them globally or move them to your new app for the searches to work again.

0 Karma
Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...