Hi @Eyal,
enter in [Settings > dataModels] and choose the Network Traffic DataModel.
if acelerated (it should be), disable acceleration.
Click on Add Field (button on the right side of the dashboard.
Click on Eval Expression and insert the expression.
Enable accelaration.
Obviously this new field doesn't contain any value for old records: you can rebuild Data Model or wait for new records.
Ciao.
Giuseppe
Hi @Eyal,
enter in [Settings > dataModels] and choose the Network Traffic DataModel.
if acelerated (it should be), disable acceleration.
Click on Add Field (button on the right side of the dashboard.
Click on Eval Expression and insert the expression.
Enable accelaration.
Obviously this new field doesn't contain any value for old records: you can rebuild Data Model or wait for new records.
Ciao.
Giuseppe
Hi @gcusello,
I want to take your very much for your help!
We have found the issue, Apparently our previous Integration gut was configured the value action on this index however configured it on the Source instead of sourcetype, What made me to think that the system related to that index is giving us 2 fields of action (Action & action).
I was told that when you configure the calculated field using source it will be stronger then configure it on sourcetype.
since we had the same calculated field on source and on sourcetype I was only see the old configuration that was not matched with your suggestions here.
In the minute that ?I have deleted the old configuration that was depended on the source of the index every thing started to work!
Anyway thank a lot as mentioned above I really appreciate it!
Eyal
Hi @Eyal,
good for you, see next time!
let me know if I can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉