Splunk Search

Interesting Fields Missing in Search & Reporting of two different Search Heads

anandhalagarasa
Path Finder

Hi Team,

We have two search heads deployed in our environment for Enterprise Security Operations team. Let me directly come to my question:

Assume the first search head name as "A" and the second search head name as "B".

-->When I ran a search query in "A" for the last 15 minutes with index=proxy i am getting a desired output with 60+ interesting fields.

-->And when I ran the same query in "B" for the last 15 minutes i am getting a desired output with only 45 interesting fields.

So when I compared with A & B search heads the outputs are same but the interesting fields column are getting differed.

So I have taken one of the interesting field which is present in "A" search head and checked in "B" i couldn't able to spot it out.

I have also tried running the query in Smart mode or Verbose mode too but the results are same.

So need your help regarding the same.

Tags (1)

woodcock
Esteemed Legend

This should lead you to places to check for differences (be sure to UpVote😞
https://answers.splunk.com/answers/13407/other-interesting-fields.html

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi anandhalagarasan,
do you have clustered or not Search Heads?
Interesting fields is a local configuration, if you have clustered SHs it's strange, if you havent clustered SHs it's correct.
Bye.
Giuseppe

0 Karma

anandhalagarasa
Path Finder

Our Search heads are not clustered since when i ran the below command in both the search heads it shows as "Search Head Clustering is not enabled on this node. REST endpoint is not available" so is there any possibility to create the interesting fields in the "B" search head.

For example:

In Search Head ("A") we have few of the interesting fields like "app" , "app_owner" ,etc.. but in Search Head ("B") i couldn't able to spot it out so how can i create it.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi anandhalagarasan,
at first you have to install the same apps in both the SHs.
Then you must be sure that bothe the SHs have configured the same search peers (Indexers).
After you should have the same Interesting fields in both the SHs running the same search.
Bye.
Giuseppe

0 Karma

anandhalagarasa
Path Finder

We are doing the search in general Search & Reporting App and it has been configured with same search peers only.But still the same interesting fields are not present in both the search head...

0 Karma

gcusello
SplunkTrust
SplunkTrust

check [Settings -- Fields -- Fields extraction] if you have the same field extraction in both the SHs, probably you configured some field extraction only in one SH, for this reason I suggested to check if you have the same apps in both the indexers.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...