All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The rule FIELDALIAS is wrong in the Splunk app for Check Point

ckurtz
Path Finder
‎02-15-2016 02:45 PM

The props.conf FIELDALIAS for the field "rule" is bad, in both in [opsec] and [opsec:vpn]: (at least for v77 Firewalls)

FIELDALIAS-rule_for_opsec      = policy_name as rule

This overwrites the default key=value field for the "rule" field, a numeric field in the data. In an ideal world we could get a rule # to rule name definition from the Firewalls in some lookup table, but most CP Admins know their rule #s pretty well...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ckurtz
Path Finder
‎02-15-2016 02:48 PM

The temporary fix (until the app is updated) is to add the following to a local/props.conf file:

[opsec]
FIELDALIAS-rule_for_opsec      = 
[opsec:vpn]
FIELDALIAS-rule_for_opsec      =

H/T to Fellow SplunkTrustee @dshpritz for the FIELDALIAS kung foo!

View solution in original post

Reply
Solved! Jump to solution
Solution

ckurtz
Path Finder
‎02-15-2016 02:48 PM

The temporary fix (until the app is updated) is to add the following to a local/props.conf file:

[opsec]
FIELDALIAS-rule_for_opsec      = 
[opsec:vpn]
FIELDALIAS-rule_for_opsec      =

H/T to Fellow SplunkTrustee @dshpritz for the FIELDALIAS kung foo!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...