I am getting ids checkpoint logs in Splunk through the Splunk Add-on for Check Point OPSEC LEA. Looking at the raw logs, I can correctly see src=x.x.x.x, but clicking on the field above, it changes the value of the src ( or src_ip) field with the value of origin. I tried to manually extract the field, but it doesn't allow me to do it. (Everything is set as global, and I don't have any permission issues)
I had a look on the props/transforms file, but I wasn't able to locate the point where this happens.