Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find where an extracted field was created that appears in searches?

tlmayes
Contributor
‎07-11-2016 11:36 AM

Trying to find where a field was created that appears in a search against our BlueCoat proxy logs.

The field is s_supplier_ip. I have searched all of our indexers, heavy and light forwarders, and search heads using grep -r "s_supplier_ip". hoping the string was in a conf file somewhere, with no luck. All other fields that appear in the search output are in the forwarder distributed app on the Forwarders in transforms and props.conf, but s_supplier_ip shows up nowhere.

Why is this important? I need to know what logic was used to correlate the field s_supplier_ip with the IP's it has mapped to. I assumed that this mapping would be found in a conf files "somewhere" on one of our Splunk instances. Am I missing something obvious?

Thanks in advance

0 Karma
Reply

ddrillic
Ultra Champion
‎07-11-2016 01:29 PM

Please google BlueCoat proxy logs s_supplier_ip.

alt text

The s_supplier_ip field name is associated with the bluecoat log files..

Preview file
1 KB
0 Karma
Reply

tlmayes
Contributor
‎07-11-2016 01:38 PM

Apologies if not enough clarity, and thanks for the response.

This is already known, since s_supplier_ip shows up only when searching within the 'bluecoat' index. The real question is: Where is the "rule" (regex, query, other magic) that identifies the interesting content that populates the field s_supplier_ip? I can find all of the Bluecoat fields that show up in the query identified in props.conf and transforms.conf EXCEPT s_supplier_ip.

0 Karma
Reply

ddrillic
Ultra Champion
‎07-11-2016 01:43 PM

Interesting thing. Splunk Add-on for Blue Coat ProxySG

I wonder whether you use this Blue Coat Add-on...

0 Karma
Reply

tlmayes
Contributor
‎07-11-2016 03:46 PM

The initial collection point is a Heavy Forwarder and yes, the Blue Coat add-on is used. Searched through the Blue Coat directories specifically, and found no reference of s_supplier_ip. Just downloaded the App from SplunkBase and searched through the tgz contents as well. No reference.

Anybody else out there capturing Blue Coat logs have an event field of "s_supplier_ip?

0 Karma
Reply

tlmayes
Contributor
‎07-11-2016 04:20 PM

To refocus, what I am really looking for is: Where else in a heavily distributed Splunk environment could this setting be located, since I have grep'd all servers starting @ ../splunk/etc for s_supplier_ip (heavy forwarders, indexers, search heads, management svrs)

redacted screenshot @ https://goo.gl/dkUhQ6

0 Karma
Reply

splunkton
Path Finder
‎07-11-2016 01:07 PM

Does the field appears in raw data?

0 Karma
Reply

tlmayes
Contributor
‎07-11-2016 01:13 PM

No, it does not appear in the raw data. Just to make sure, I executed a search, and exported the raw data. Not there. Also, I can specify the "field" of "s_supplier_ip" in a table and the output is presented as expected.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...