Proofpoint On Demand Email Security Add-on: How do...

jwhughes58 · ‎04-22-2019

One of the fields in the Email CIM is action. From the Proofpoint-On-Demand pps_messagelog I want to change final_action to action. I've tried using the below in TA-pps_ondemand/local/props.conf

FIELDALIAS-pod_final_action = final_action AS action

and

EVAL-action = final_action

The field alias didn't do anything. The eval caused an error when I tried to deploy. The version of Splunk is 7.2.5.1 installed on-site. Frankly I'm baffled by this one. Either works if I have it in the SPL in search. Any suggestions?

TIA,
Joe

lakshman239 · ‎04-23-2019

If you run your search like this for say last 24 hours index=your_index sourcetype=yoursourcetype | fillnull value="N/A" final_action | stats count by final_action , are you seeing all values from your TA? Pls check if those values are similar to what is expected in the https://docs.splunk.com/Documentation/CIM/4.13.0/User/Email for 'action'. If your TA produces same values, you can just do an alias like what you have done, else, you may need to use the EVAL-action and check for values and map them to what's expected in CIM, using if/else or case statement in your local/props.conf

woodcock · ‎04-22-2019

Your statement is ambiguous. Are you trying to take an existing field in your data and create another field with a different name and the same value? If so, which name is which? If not, be more clear in what exactly you are needing to do.

Proofpoint On Demand Email Security Add-on: How do you set action in Email CIM?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!