Posted by: Pdfprep
Post Date: November 10, 2020
A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip.
Which of the following may explain the problem? (Select all that apply.)
A . The field was extracted as a private knowledge object.
B . The events are tagged as communicate, but are missing the network tag.
C . The Typing Queue, which does regular expression replacements, is blocked.
D . The colleague did not explicitly use the field in the search and the search was set to Fast Mode.
Answer: D
Explanation:
Reference: https://answers.splunk.com/answers/657187/map-command-field-not-being-evaluated.html
Leave a Reply