I think I need to push this from the deployment to each device or at least the forwarder and search head.
I have 5 servers making up my SPLUNK Enterprise deployment, 1 SH, 1 FW, 1 DS, 2 Indexers.
My props.conf on the forwarder has this configuration for 1 data source:
FIELDALIAS-severity_as_id = severity as severity_id
FIELDALIAS-dst_as_dest = dst as dest
EVAL-app = netwitness
EXTRACT-subject = CEF\:\s+\d(?:\|[^\|]+){3}\|(?[^\|]+)
When I search I am not seeing the 'subject' does this need to be pushed to the search head? how about the other devices. I am trying to understand this.
Thanks!
↧