I am having trouble using a field that is in my log entries, but Splunk doesn't "auto-discover" it when I started indexing data. I have played around with using the "extract new fields", but can't get the field to work right. The field name is "pattern:" in the log entries. I would like to be able to search based on the value of "pattern:" in the entries. I believe the only values it can have in the logs are: 0, 1, allow all.
Here are some examples:
Dec 15 11:38:54 10.1.1.3 1 1481823534.895775102 HOST_NAME flows src=10.1.1.251 dst=23.23.23.23 mac=C4:71:FE:EE:EE:EE protocol=tcp sport=50814 dport=80 pattern: allow all
Dec 15 11:38:54 10.1.1.3 1 1481823535.012274548 HOST_NAME flows src=111.111.111.111 dst=111.111.111.111 protocol=tcp sport=10155 dport=443 pattern: 0 tcp && dst port 443 && dst 111.111.111.111
Dec 15 11:41:07 10.1.1.3 1 1481823667.556427731 HOST_NAME flows src=111.111.111.111 dst=111.111.111.111 protocol=tcp sport=46078 dport=23 pattern: 1 all
Dec 15 11:42:00 10.1.1.3 1 1481823667.556427731 HOST_NAME flows src=111.111.111.111 dst=111.111.111.111 protocol=tcp sport=46078 dport=23 pattern: 1
As you can see the pattern: field can have text or a numeric value if that helps narrow down the issue. Any help would be greatly appreciated. I am new to Splunk and have looked around, but I might not even know the terminology to use to search properly.
... View more