All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Proofpoint On Demand Email Security Add-on: How do you set action in Email CIM?

jwhughes58
Contributor
‎04-22-2019 11:44 AM

One of the fields in the Email CIM is action. From the Proofpoint-On-Demand pps_messagelog I want to change final_action to action. I've tried using the below in TA-pps_ondemand/local/props.conf

FIELDALIAS-pod_final_action = final_action AS action

and

EVAL-action = final_action

The field alias didn't do anything. The eval caused an error when I tried to deploy. The version of Splunk is 7.2.5.1 installed on-site. Frankly I'm baffled by this one. Either works if I have it in the SPL in search. Any suggestions?

TIA,
Joe

0 Karma
Reply

lakshman239
Influencer
‎04-23-2019 01:35 AM

If you run your search like this for say last 24 hours index=your_index sourcetype=yoursourcetype | fillnull value="N/A" final_action | stats count by final_action , are you seeing all values from your TA? Pls check if those values are similar to what is expected in the https://docs.splunk.com/Documentation/CIM/4.13.0/User/Email for 'action'. If your TA produces same values, you can just do an alias like what you have done, else, you may need to use the EVAL-action and check for values and map them to what's expected in CIM, using if/else or case statement in your local/props.conf

0 Karma
Reply

woodcock
Esteemed Legend
‎04-22-2019 08:09 PM

Your statement is ambiguous. Are you trying to take an existing field in your data and create another field with a different name and the same value? If so, which name is which? If not, be more clear in what exactly you are needing to do.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...