Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different fields in apps for same sourcetype?

echojacques
Builder
‎02-05-2014 08:30 PM

Hello,

One of my sourcetypes is bcoat_proxysg (BlueCoat). Within the Search app, I have all of the correct/expected fields. Within the Enterprise Security app, there is a different set of fields and none of the relevant BlueCoat fields (like http_referrer and http_user_agent) are available. It's almost as if the sourcetype is broken within ES (but it's fine in Search). None of my other sourcetypes have this problem so I'm really confused about why the fields are different between the two apps.

Update: I tried the suggested answer below last night and made the changes to TA-bluecoat but this didn't make any difference. So currently in my Search app, the sourcetype=bcoat_proxysg fields are correct but in my ES app the fields are incorrect. I'm looking for guidance on where I should begin to troubleshoot this... I'm really confused why this is happening in the first place... I thought that a sourcetype (once defined) would have the same fields available in all apps.

Do I need to do field extractions twice... once for Search and once for ES???

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

echojacques
Builder
‎02-06-2014 01:54 PM

After a lot of testing, I had to revert from ES version 3.0 back to ES version 2.4 to get my sourcetypes and their fields to work properly again within ES. What I learned is that I will need to modify my field extractions/transformations in order to make them compatible with ES 3 - otherwise, the fields/dashboards/and views within ES 3 will not have good data.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

echojacques
Builder
‎02-06-2014 01:54 PM

After a lot of testing, I had to revert from ES version 3.0 back to ES version 2.4 to get my sourcetypes and their fields to work properly again within ES. What I learned is that I will need to modify my field extractions/transformations in order to make them compatible with ES 3 - otherwise, the fields/dashboards/and views within ES 3 will not have good data.

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎02-07-2014 10:36 AM

Hi, I decided to revert because almost all of the built-in dashboards/views within ES 3 either had missing data or incorrect data. Then I also found that my Checkpoint/opsec-lea sourcetype had incorrect fields (just like the bluecoat issue) as well.

We are setup to read all of our data from a syslog instead of directly from the devices. I think this may be the issue since we have many customized extractions/transformations that ES 3 may not know how to interpret. That said, if it works within ES 2.4 then ES 3.0 should know how to handle it during an upgrade...

Thanks again for your help.

0 Karma
Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-07-2014 10:29 AM

there were some changes between the two to switch from proxy to the web datamodel, but this is the first i've heard of an upgrade not working right. A support ticket might be in order to figure out what's not working for you. Reverting the whole ES install shouldn't be necessary either, though I appreciate that restoring the backup is easier than troubleshooting.

0 Karma
Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-05-2014 08:38 PM

seems like we're online at the same times today 🙂

TA-bluecoat expects a certain field order (and sourcetype = bluecoat). I'd edit its props.conf and eventtypes.conf to look for your sourcetype instead. Then I'd use Splunk Add-on for Weblogs to generate a more efficient field extraction that matches your data... Since you're on ES 3, make sure you reference the Web data model instead of one of the canned field sets.

0 Karma
Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎02-09-2014 09:48 AM

so, no idea what you actually did, just guessing here 🙂 But my guess is that you got bitten by app isolation. The easiest solution is probably to take the props and transforms generated by weblog add-on and copy them to the TA-bluecoat/local directory. Alternatively, you might need to restart the search head or even rerun ES's setup so it will know to inherit knowledge from the new TA.

To your question on doing extractions twice, we actually consider the ability to do different extractions for different apps from the same raw data a feature 🙂

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎02-06-2014 09:45 AM

Unfortunately, making the modifications to the .conf files didn't work...

0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎02-05-2014 08:42 PM

Thanks, that makes sense. I'll edit the files and test it again.

Yes, I guess we're on a similar schedule today!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...