Solved: After upgrade to Splunk 6.2.1, why are fields no l...

hlarimer · ‎01-19-2015

I recently updated to Splunk Enterprise 6.2.1 and have noticed that my Palo Alto logs are no longer extracting fields when searching inside the Search app. When I go to the Palo Alto App and use sideview search, then the fields are extracted correctly.

Is this intended or is there a setting to change to extract fields in both locations?

hlarimer · ‎01-19-2015

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

View solution in original post

hlarimer · ‎01-19-2015

I found the problem, the props and transforms are not set to be globally shared across apps for this app. These settings are found in SplunkforPaloAltoNetwork/metadata/default.meta. I changed props, transforms, lookups to system and the fields are now being extracted from the search app. I haven't had to do this for this app before and wonder why the permissions were changed?

hlarimer · ‎01-19-2015

This was caused because I created a whole new app for Palo Alto and migrated my local folders but I forgot to move the local.meta file as well, which had these setting along with permission settings for the application. Self inflicted but I hope this thread helps someone!

After upgrade to Splunk 6.2.1, why are fields no longer extracted from Palo Alto logs when searching using the Search App?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor