Splunk Search

How to find where an extracted field was created that appears in searches?

tlmayes
Contributor

Trying to find where a field was created that appears in a search against our BlueCoat proxy logs.

The field is s_supplier_ip. I have searched all of our indexers, heavy and light forwarders, and search heads using grep -r "s_supplier_ip". hoping the string was in a conf file somewhere, with no luck. All other fields that appear in the search output are in the forwarder distributed app on the Forwarders in transforms and props.conf, but s_supplier_ip shows up nowhere.

Why is this important? I need to know what logic was used to correlate the field s_supplier_ip with the IP's it has mapped to. I assumed that this mapping would be found in a conf files "somewhere" on one of our Splunk instances. Am I missing something obvious?

Thanks in advance

0 Karma

ddrillic
Ultra Champion

Please google BlueCoat proxy logs s_supplier_ip.

alt text

The s_supplier_ip field name is associated with the bluecoat log files..

0 Karma

tlmayes
Contributor

Apologies if not enough clarity, and thanks for the response.

This is already known, since s_supplier_ip shows up only when searching within the 'bluecoat' index. The real question is: Where is the "rule" (regex, query, other magic) that identifies the interesting content that populates the field s_supplier_ip? I can find all of the Bluecoat fields that show up in the query identified in props.conf and transforms.conf EXCEPT s_supplier_ip.

0 Karma

ddrillic
Ultra Champion

Interesting thing. Splunk Add-on for Blue Coat ProxySG

I wonder whether you use this Blue Coat Add-on...

0 Karma

tlmayes
Contributor

The initial collection point is a Heavy Forwarder and yes, the Blue Coat add-on is used. Searched through the Blue Coat directories specifically, and found no reference of s_supplier_ip. Just downloaded the App from SplunkBase and searched through the tgz contents as well. No reference.

Anybody else out there capturing Blue Coat logs have an event field of "s_supplier_ip?

0 Karma

tlmayes
Contributor

To refocus, what I am really looking for is: Where else in a heavily distributed Splunk environment could this setting be located, since I have grep'd all servers starting @ ../splunk/etc for s_supplier_ip (heavy forwarders, indexers, search heads, management svrs)

redacted screenshot @ https://goo.gl/dkUhQ6

0 Karma

splunkton
Path Finder

Does the field appears in raw data?

0 Karma

tlmayes
Contributor

No, it does not appear in the raw data. Just to make sure, I executed a search, and exported the raw data. Not there. Also, I can specify the "field" of "s_supplier_ip" in a table and the output is presented as expected.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...