All Apps and Add-ons

Missing source and sourcetype in selected and interesting fields

balmeida
Explorer

Hi,

Somehow, when the Linux Auditd Technology Add-On is installed on our SplunkCloud deployment, the source and sourcetype fields disappear from selected fields or interesting fields whenever a linux:audit event is present in the search results.

I can still use them in the search.

As soon as I disable the addon, the fields return

Assuming this search always contains linux:audit data, this is the behaviour I am seeing:

# Fields missing:
host=ip-10-231-16-14 index=test

# Fields missing:
host=ip-10-231-16-14 index=test sourcetype=linux:audit

# Fields appear correctly:
host=ip-10-231-16-14 index=test sourcetype!=linux:audit

I've never seen this kind of behaviour, any ideas what's going on?

Thanks

0 Karma

doksu
SplunkTrust
SplunkTrust

@balmeida that's super weird. Thanks for bringing it to my attention. Could you please open a ticket with support as that sounds like a Splunk bug.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...