- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Where do fields come from?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where do fields come from?
This may seem to be a fairly daft question, but after a fair bit of head-scratching I can't see an obvious answer.
The question is, where did a particular field come from?
The context is that I had a field which I could not alias because it was returned by a lookup. But there is no way to tell what the provenance of any given field as far as I know. So I had to look in all the apps on the system and eventually located it as an automatic lookup. Solution was to create a calculated field with the name I wanted, but that's beside the point.
Is there any way to get Splunk to tell where a particular field came from (app, .conf file) without either digging through everything by Mk1 eyeball, or splunking all your splunk config?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pretty much as I thought then.
It seems to me that if you're using something like git to store your splunk configs--and you should be!--it will be simpler in most cases to assemble an app to splunk your git repo and search your configuration elements that way.
I have actually done this myself years ago but neglected to retain the exact method when I left that engagement. What I do remember is that it involved using only one depth of the repo (i.e. current master versions for all configs) and storing the full path, the conf file path and name, and the specific element which was configured. Keyword searches for any item then showed you what sort of a thing it was, where it was defined and additionally where it was used.
This was also handy for finding out whether you had an existing sourcetype you could use, or whether you had to create a new one. Might seem trivial, but it isn't when you have hundreds or thousands of data sources and sourcetypes in a large enterprise.
Ah well, might need to figure out how to do it all over again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://answers.splunk.com/answers/339034/is-there-a-way-to-know-which-fields-were-extracted.html
I think this is answering a similar question.
Hope this helps, Thanks!
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
