https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558361#M6310 <P>Hi,</P><P>I think this should work with the transform that change sourcetype uncommented.</P><P>Then move the REPORTS stanza is in a sourcetype scope not a source</P><P>so</P><P>[pan:trafic]</P><P><SPAN class="s1">REPORT-trafic_fields = pan_trafic_fields</SPAN></P><P><SPAN class="s1">(make sure this config is also present on sh so deploy the whole sh + idx)</SPAN></P><P>&nbsp;</P><P>that makes at least things much easier to debug with such things scoped at sourcetype level</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Jul 2021 07:22:50 GMT maraman_splunk 2021-07-06T07:22:50Z https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558329#M6307 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>I have a HEC input on an indexer.&nbsp;</P><P>I am trying to send Palo Alto Traffic Logs over HEC<BR /><BR />I have the this stanza in the props.conf&nbsp;</P><P class="p1"><SPAN class="s1">[source::hec]</SPAN></P><P class="p1"><SPAN class="s1">pulldown_type = true</SPAN></P><P class="p1"><SPAN class="s1">SHOULD_LINEMERGE = false</SPAN></P><P class="p1"><SPAN class="s1">TIME_PREFIX = ^(?:[^,]*,){5}</SPAN></P><P class="p1"><SPAN class="s1">MAX_TIMESTAMP_LOOKAHEAD = 100</SPAN></P><P class="p1"><SPAN class="s1">#TRANSFORMS-sourcetype =<SPAN class="Apple-converted-space">&nbsp; </SPAN>pan_traffic</SPAN></P><P class="p1"><SPAN class="s1">REPORT-trafic_fields = pan_trafic_fields</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>and this in transforms.conf&nbsp;</P><P class="p1"><SPAN class="s1">[pan_trafic_fields]</SPAN></P><P class="p1"><SPAN class="s1">DELIMS = ","</SPAN></P><P class="p1"><SPAN class="s1">FIELDS = "receive_time","serial_number","log_type","log_subtype","src_ip","dest_ip","rule","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","session_id","repeat_count","src_port","dest_port","transport","action","bytes","bytes_out","bytes_in","packets","start_time","duration","http_category","sequence_number","src_location","dest_location","packets_out","packets_in","session_end_reason","dvc_name","action_source","tunnel_id"</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">I am trying to test it with curl</SPAN></P><P class="p1"><SPAN class="s1">curl -k "<A href="https://172.31.72.93:8088/services/collector/raw?cca3-f29f63e09fdc&amp;sourcetype=pan:log" target="_blank" rel="noopener">https://172.31.72.93:8088/services/collector/raw?cca3-f29f63e09fdc&amp;sourcetype=pan:log</A>" -H "Authorization: Splunk 92a1a276-eee8-XXXX-XXXX-11d002640ad0" -d '"2021/07/05 12:30:06",44A1B3FC68F5304,TRAFFIC,end,103.125.191.136,10.0.0.10,splunk,incomplete,vsys1,untrusted,trusted,ethernet1/3,ethernet1/2,log-forwarding-default,574277,1,52564,8088,tcp,allow,74,74,0,1,"2021/07/05 12:30:06",0,any,730218,"United States",10.0.0.0-10.255.255.255,1,0,aged-out,PA-VM,from-policy,0'</SPAN></P><P class="p1"><SPAN class="s1">the Sourcetype is being recognised by Splunk as pan:traffic as expected but the parsing is not working on the indexers and no fields are showing in my search&nbsp;<BR /><BR />am i missing something here&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P>&nbsp;</P> Mon, 05 Jul 2021 16:15:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558329#M6307 aamer86 2021-07-05T16:15:35Z https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558361#M6310 <P>Hi,</P><P>I think this should work with the transform that change sourcetype uncommented.</P><P>Then move the REPORTS stanza is in a sourcetype scope not a source</P><P>so</P><P>[pan:trafic]</P><P><SPAN class="s1">REPORT-trafic_fields = pan_trafic_fields</SPAN></P><P><SPAN class="s1">(make sure this config is also present on sh so deploy the whole sh + idx)</SPAN></P><P>&nbsp;</P><P>that makes at least things much easier to debug with such things scoped at sourcetype level</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Jul 2021 07:22:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558361#M6310 maraman_splunk 2021-07-06T07:22:50Z https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558362#M6311 <P>btw reports is a search time extraction</P> Tue, 06 Jul 2021 07:23:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558362#M6311 maraman_splunk 2021-07-06T07:23:31Z https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558372#M6312 <P>Why don't you use app\addon for PaloAlto? It extracts fields without problems. Also according to your props.conf - sourcetype recognition is commented, so looks like it happens somewhere else.<BR /><SPAN class="s1">#TRANSFORMS-sourcetype =<SPAN class="Apple-converted-space">&nbsp; </SPAN>pan_traffic</SPAN><BR /><BR />You can also try to download application and check config files there (easiest way) - so you will have some clue on how to modify your configs or copy them to your system.</P><P>&nbsp;</P><P>Thank, Gene</P> Tue, 06 Jul 2021 09:13:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/index-time-extraction-not-working/m-p/558372#M6312 Gene 2021-07-06T09:13:44Z