topic Re: no expected fields in sourcetype in Splunk Enterprise Security

no expected fields in sourcetype

infosec_kicb — Tue, 29 Sep 2020 23:22:30 GMT

Hello all!
resently i downloaded Check Point App for Splunk. I configured in input.conf in order to force all Chechpoint devices send their logs to sourcetype cp_log:
[udp://:514]
sourcetype = cp_log
now i can see all necesary logs in this sourcetype, but if i look at soucetype settings - i can see that there should be many various fields. but i cannot see these fiedls while i perform search. No necesary fields - no output on my Check Point App for Splunk. how to get these fields? or should i extract every field mannually?

But search " sourcetype="cp_log" | table *" returns table with fields that i need, but all of them are empty. Only field "Action" contain whole log text(look at attached picture)

APP link - https://splunkbase.splunk.com/app/4293/#/overview/

Re: no expected fields in sourcetype

MoniM — Tue, 19 Feb 2019 10:12:45 GMT

Hi @infosec_kicb ,
I hope you have checked the "All fields" tab and put the coverage percent to "All Fields".
Below is the attached snap for your reference.

Thanks

Re: no expected fields in sourcetype

infosec_kicb — Tue, 19 Feb 2019 10:28:26 GMT

Thank you for your responce... but no... "All fields" - is already selected... (it seem my case is similar to the next https://answers.splunk.com/answers/206812/splunk-add-on-for-cisco-wsa-not-extracting-fields.html)

screenshot as an answer to your question is below:

Re: no expected fields in sourcetype

infosec_kicb — Tue, 19 Feb 2019 10:29:10 GMT

Re: no expected fields in sourcetype

infosec_kicb — Fri, 22 Feb 2019 12:03:54 GMT

But search " sourcetype="cp_log" | table *" returns table with fields that i need, but all of them are empty. Only field "Action" contain whole log text(look at attached picture)