Hi
I have a log like this
Mar 10 20:19:39 10.18.10.11 Mar 10 2016 20:18:07 HIPDR-M909-X8-CA %%01SHELL/5/CMDRECORD(s)[37105]:Recorded command information. (Task=VT1, Ip=10.2.11.10, VpnName=O_G, User=65w, AuthenticationMethod="Local-user", Command="ping -c 100 -vpn-instance DAT 1.23.30")
I have a Field extraction in search mode:
sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?\w+\/\d+\/\w+)\("
So if I want to search like this
sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?\w+\/\d+\/\w+)\("| search sig="SHELL/5/CMDRECORD"
Works like charm
**But** if I save the extraction in Fields Extractions, all the permissions are global, we restart splunk several times and do the extract reload=true
So when I do the search:
sourcetype="huawei" sig="SHELL/5/CMDRECORD"
**Shows 0 Results**
Any Idea what could be happening?
↧