Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk ES Search - Sourcetype fields issue

realtimetechnol
Explorer
‎05-06-2020 08:11 AM

Hi, I wonder if anyone can help.

Running a search in Splunk search & reporting I see all the fields as required using the sourcetype, index, source etc.

Running the same search in ES (same search head), within the search and using the same search, I don't get all the same fields. Example being src_user, src_user_email.

The following are true:
Splunk TA is on both search heads
Permissions on the TA are Global and read is available to all
Using the same searches in verbose mode
Checked that there are no field aliases etc in the UI
This is a Splunk Cloud managed instance

Any help would be very much appreciated 🙂

Labels (2)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-07-2020 03:25 AM

What is the TA in question?

Here's how you configure ES to import TA's. (Hint;, it's not just by making them global)

https://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_...

0 Karma
Reply

realtimetechnol
Explorer
‎05-07-2020 05:17 AM

Hi jkat54,
If only I had access to the file system 😞 , this is a cloud (managed) deployment so unfortunately I only get to use the UI however, the TA's are on the SH for ES. This particular TA is the O365 Add-on https://splunkbase.splunk.com/app/4055/

Thanks for your help 🙂

0 Karma
Reply

DalJeanis
Legend
‎05-06-2020 06:52 PM

@realtimetechnology -

So, it seems like some of your fields are defined in the search app, but not within ES.

Quick test - go create a new app with nothing in it, and run the search there.

If your fields do NOT appear, then the extractions were defined within the search app and need to be exported to global. (The expected result.)

If your fields DO appear, then something in ES is overriding them. (Unexpected result, because it seems unlikely that ES has defined the same extraction in a way that conflicts, rather than merely adds.)

Let us know what you find, and we'll give you further debug steps.

0 Karma
Reply

realtimetechnol
Explorer
‎05-07-2020 12:31 AM

Hey DalJeanis,
Thanks for the response 🙂

Unfortunately I am unable to create apps on this SH as it is an ES SH under managed cloud 😞

I followed your thought process and looked at the source types producing some of the same fields, in this example I will use 'src_user'. Obviously there were loads as it is a CIM field, I then looked at what field aliases there were and again, lots of these exist and from many add-on's, I check global visibility and permissions, at this point I am going round in circles when I think what if I just create the field alias in the ES app - Wow!!, that worked but more interestingly is that all the other fields under the src* become available.

Not sure what is going on here but that has to be a bug? unless you have any ideas I will log it as a ticket and see if I get an explanation.

Thanks Again - 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...