Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add a new field in indexing time from data received via HEC

corti77
Contributor
‎10-31-2023 07:52 AM

Hi,

I am using Splunk 9.0.6, and I configured HEC + Syslog Connector for Splunk for the data ingestion.

At the moment, I receive events from our two different firewall (PaloAlto and Stormshield). My problem arises with the fact that Stormshield is not directly supported by SC4S, so the extracted fields are not CIM compliant.

More precisely, the field action should contain blocked or allowed as possible values, but it contains pass and block instead.

My question is how it would be the best way to implement this transformation.

I tried creating the following files in the path 

C:\Program Files\Splunk\etc\apps\splunk_httpinput\local

props.conf

[StormShield:StormShield]
TRANSFORMS = rewriteaction

transform.conf

[rewriteaction]
EVAL-action = case(action="pass", "allowed", action="block", "blocked" , 1=1, "UNKNOWN")

I restarted Splunk, but nothing really happened.

Any idea of what I am doing wrong? 

Many thanks.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 09:59 AM

This is something you typically do in the search-head layer. It has nothing to do with HEC.

And you're mixing different things here - EVAL-* entries belong directly in props.conf, not in transforms.conf stanza. And again - if you have a bigger environment than an all-in-one setup, this goes into the search-head tier.

View solution in original post

Reply
Solved! Jump to solution

corti77
Contributor
‎11-01-2023 04:13 AM

hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files.

We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do with HEC, so where should I place the props.conf file? At /etc/system/local ?

cheers

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2023 05:50 AM

While in an all-in-one scenario it might not be that important, it's useful to remember that you should avoid putting anything in etc/system/local.

Apart from that, you can put it "anywhere" - see how Splunk merges the separate files into effective config https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 09:59 AM

This is something you typically do in the search-head layer. It has nothing to do with HEC.

And you're mixing different things here - EVAL-* entries belong directly in props.conf, not in transforms.conf stanza. And again - if you have a bigger environment than an all-in-one setup, this goes into the search-head tier.

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...