All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Check Point OPSEC LEA: Why is the src field not consistent?

Federica_92
Communicator
‎04-12-2016 03:07 AM

Hi everyone,

I am getting ids checkpoint logs in Splunk through the Splunk Add-on for Check Point OPSEC LEA. Looking at the raw logs, I can correctly see src=x.x.x.x, but clicking on the field above, it changes the value of the src ( or src_ip) field with the value of origin. I tried to manually extract the field, but it doesn't allow me to do it. (Everything is set as global, and I don't have any permission issues)

I had a look on the props/transforms file, but I wasn't able to locate the point where this happens.

0 Karma
Reply

mikelanghorst
Motivator
‎04-12-2016 10:58 AM

I can't explain why it was decided to have this field alias, but it's within the [opsec:ips] stanza

[opsec:ips]
...
FIELDALIAS-dvc_for_opsec                        = orig as dvc, orig as dvc_ip
FIELDALIAS-signature_for_ips                     = Protection_Name as signature
FIELDALIAS-src_for_opsec                        = orig as src, orig as src_ip

I'm not sure if the source formatting has changed or ??

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...