Solved: Can you help me translate/transcribe ssl_version v...

bryan_dady · ‎09-17-2018

I can't find an affirmative document / release note, so if you know, please clarify when this ssl_version field was added to the Splunk Stream app.

I am trying to add the ssl_version field to a dashboard, But the values showing in this field do not match up to SSL/TLS versions I recognize.

We're running Splunk Stream 7.1.2 on Splunk Enterprise 6.6.7. I don't find any field reference in the current Stream App documentation, or in Stream Field Details.

The sample events I'm seeing are all showing a value of "3.3".

bryan_dady · ‎09-17-2018

I think I got it - I hope this is helpful to others ...

| eval tls_version = case(ssl_version=="3.1", "1.0", ssl_version=="3.2", "1.1", ssl_version=="3.3", "1.2", ssl_version=="undefined", "n/a", true(), "other")

View solution in original post

bryan_dady · ‎09-17-2018

I think I got it - I hope this is helpful to others ...

| eval tls_version = case(ssl_version=="3.1", "1.0", ssl_version=="3.2", "1.1", ssl_version=="3.3", "1.2", ssl_version=="undefined", "n/a", true(), "other")

Can you help me translate/transcribe ssl_version values in Stream app SSLActivity source?

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup