Knowledge Management

Splunk CIM Network Traffic issue with the field action?

Eyal
Path Finder
Hi,
I have adjusted one of the FWs to be CIM compline.

I have 2 type of action parameters:
  • one called "Action" that contains 100% of the values.
  • one called "action" that contains 3% of the values.
I created a query in the calculated fields that should translate all the values in the Action field to the strings allowed and blocked as supposed to be in the Network Traffic Data Model.

Link: https://docs.splunk.com/Documentation/CIM/5.1.1/User/NetworkTraffic

The query is:
case(like('Action',"%alert%"),"allowed",like('Action',"%allow%"),"allowed",like('Action',"%drop%"),"blocked",like('Action',"%reset-both%"),"blocked",like('Action',"%block-url%"),"blocked",like('Action',"%deny%"),"blocked")

It works when I query this in the SPL command line however is not works when it rans as a calculated field.
Does Someone familiar with this issue? I will really appreciate your help 🙂
Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Eyal,

enter in [Settings > dataModels] and choose the Network Traffic DataModel.

if acelerated (it should be), disable acceleration.

Click on Add Field (button on the right side of the dashboard.

Click on Eval Expression and insert the expression.

Enable accelaration.

Obviously this new field doesn't contain any value for old records: you can rebuild Data Model or wait for new records.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Eyal,

enter in [Settings > dataModels] and choose the Network Traffic DataModel.

if acelerated (it should be), disable acceleration.

Click on Add Field (button on the right side of the dashboard.

Click on Eval Expression and insert the expression.

Enable accelaration.

Obviously this new field doesn't contain any value for old records: you can rebuild Data Model or wait for new records.

Ciao.

Giuseppe

Eyal
Path Finder

Hi @gcusello,

I want to take your very much for your help!

We have found the issue, Apparently our previous Integration gut was configured the value action on this index however configured it on the Source instead of sourcetype, What made me to think that the system related to that index is giving us 2 fields of action (Action & action). 

I was told that when you configure the calculated field using source it will be stronger then configure it on sourcetype.

since we had the same calculated field on source and on sourcetype I was only see the old configuration that was not matched with your suggestions here.

In the minute that ?I have deleted the old configuration that was depended on the source of the index every thing started to work!

Anyway thank a lot as mentioned above I really appreciate it!

Eyal

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Eyal,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...