Hi All,
Recently we have moved all the splunk rules for alerting to another app,
after we moved few searched are not giving any results, for example the searches which are using a eventtype that contains facility and mnemonics doesnt give any result.
Below is one such example of an eventtype
Below are two example of event type
1) sourcetype=cisco_syslog facility=OSPF mnemonic=ADJCHG
2) sourcetype=cisco_syslog facility=BGP mnemonic=ADJCHANGE
I am not very sure but after searching on google, I understand the facility & mnemonic are the fields created to match the event, however after we changed the app to GNS_Alerting I couldn’t find these two in the fields extractions. May I check with you how to create the fields as most of the event types used for the alert rules are using these fields. If i removed the facility and mnemonic and just give the key words we see results.
Can please advise thanks
regards
Franklin
... View more