https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758055#M12834 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;,</P><P>thanks for your post. The problem is case on multiline; after I updated my props.conf in a single line all running as expected.</P> Fri, 06 Feb 2026 07:38:20 GMT biroby 2026-02-06T07:38:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758013#M12828 <P>Hello community,</P><P>I'm new to Splunk Custom TA and would like to collect the Linux firewall log. I've searched the web to see if anyone has already done this, but I can't find anything.</P><P>I created a TA structure, but I have a problem: the PROTO field in the log can be numeric or string (I find TCP, UDP, or 1, 2, 47, etc.) and I want everything to be a descriptive string placed in the "transport" field.<BR />I added this code to the props.conf, but it doesn't seem to work:</P><P class="lia-indent-padding-left-30px"><EM># -------------------------------</EM><BR /><EM># Normalize transport (numeric + string proto)</EM><BR /><EM># -------------------------------</EM><BR /><EM>EVAL-transport = case(</EM><BR /><EM>lower(proto)=="tcp" OR proto=="6", "tcp",</EM><BR /><EM>lower(proto)=="udp" OR proto=="17", "udp",</EM><BR /><EM>lower(proto)=="icmp" OR proto=="1", "icmp",</EM><BR /><EM>lower(proto)=="igmp" OR proto=="2", "igmp",</EM><BR /><EM>proto=="47", "gre",</EM><BR /><EM>proto=="50", "esp",</EM><BR /><EM>proto=="51", "ah",</EM><BR /><EM>lower(proto)=="icmp6" OR proto=="58", "icmp",</EM><BR /><EM>proto=="89", "ospf",</EM><BR /><EM>proto=="108", "ipip",</EM><BR /><EM>proto=="112", "vrrp",</EM><BR /><EM>proto=="115", "l2tp",</EM><BR /><EM>proto=="132", "sctp",</EM><BR /><EM>proto=="137", "mpls",</EM><BR /><EM>true(), "unknown"</EM><BR /><EM>)</EM></P><P><BR />If I use the single EVAL instead, it works:</P><P class="lia-indent-padding-left-30px"><EM>EVAL-transport = lower(proto)</EM></P><P><BR />Could you help me?<BR />Thanks</P> Thu, 05 Feb 2026 10:45:33 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758013#M12828 biroby 2026-02-05T10:45:33Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758017#M12829 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/315514">@biroby</a>&nbsp;</P><P>If you put it on one-line does it work?</P><P>You could also check with btool that its picking up correctly:</P><LI-CODE lang="markup">$SPLUNK_HOME/bin/splunk cmd btool props list &lt;yourSourceType&gt;</LI-CODE><P>Check that you see the full eval returned.&nbsp;</P><P>Another thing to check is running the eval as SPL in your search to ensure that you get the correct values returned, this is a good way to check without having to tweak and restart each time.</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Thu, 05 Feb 2026 12:33:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758017#M12829 livehybrid 2026-02-05T12:33:39Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758039#M12833 <P>Wouldn't it be easier to do it with a lookup?</P> Thu, 05 Feb 2026 21:20:12 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758039#M12833 PickleRick 2026-02-05T21:20:12Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758055#M12834 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906">@livehybrid</a>&nbsp;,</P><P>thanks for your post. The problem is case on multiline; after I updated my props.conf in a single line all running as expected.</P> Fri, 06 Feb 2026 07:38:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Linux-firewalld-TA/m-p/758055#M12834 biroby 2026-02-06T07:38:20Z