All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

eNcore correlation events SRC and DEST IP addresses fields as INTEGER

mcatanoi
New Member
‎12-27-2018 02:14 AM

Hi,

The Correlation Events received via eStreamer are processed by eNcore app in a wrong format for SRC and DEST IP addresses fields, which are presented as INTEGER values, rather than IPs.

per example:
rec_type=112 rec_type_desc="Correlation Event" src_ip=3117469894 dest_ip=182909563

Can you fix it please?

Thank you

0 Karma
Reply

douglashurd
Builder
‎02-06-2019 03:32 PM

Any chance you had Meta Data switched off on the FMC estreamer configuration page? We haven't seen this on other customer sites.

0 Karma
Reply

mcatanoi
New Member
‎12-28-2018 03:52 AM

Hi,

We've fixed this issue by modifying the following lines into the encore\estreamer\definitions\blocks_series1.py

...127
BLOCK_USER_LOGIN_INFORMATION_54: [
...
{ 'type': TYPE_IPV4, 'name': 'ipv4Address' },
{ 'type': TYPE_IPV6, 'name': 'ipv6Address' },
...

It would be great if the author of this app will submit these changes for the next release.

Thank you

0 Karma
Reply

p_gurav
Champion
‎12-27-2018 08:44 PM

Hi mcatanoi,

  • Please check the sourcetype is properly mapped for those events
  • Also check the format of extraction defined for this sourcetype is match with pattern of events you are getting.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...