Security

How to write props & transforms to apply for field aliases and evals for a firewall device.

Hemnaath
Motivator

Hi All, Kindly guide me on how to write a props and transforms to apply for a field aliases and evals for a firewall devices,using CIM Network data model. The below are the list of fields that are available in the firewall events.

interesting fields

date_hour

date_mday

date_minute

@date_month

date_second

@date_wday

date_year

@date_zone
@disp
@dst

dstport

@eventtype
@in_if
@index

ip_len

ip_TTL

lineCount

@out_if
@policy
@proto
@punct
@serial
@splunk_server
@src

srcPort

@tag
@tag::eventtype

timeendpos

timestartops

I had gone through the below CIM Network Traffic Model but not sure how to start and what to write in the props.conf and transforms.conf. Kindly guide me on this.

https://docs.splunk.com/Documentation/CIM/4.8.0/User/NetworkTraffic

0 Karma

JDukeSplunk
Builder

It might be easier for you to use the GUI to just alias out fields by sourcetype there.

https://[yoursplunkURL]/en-US/manager/search/data/props/fieldaliases

0 Karma

Hemnaath
Motivator

Hi Duke, I had written field aliases for some of the fields by comparing the fields in the events and the fields which are similar in the CIM Network traffic .

Example :

For field name = dst Field aliases equivalent to this after comparing with CIM Network traffic is
FIELDALIAS-dest_ip_for_watchguard = dst AS dest_ip

My question what to write for props/transforms to apply for a field aliases and evals. Kindly guide me on this.

thanks in advance.

0 Karma

JDukeSplunk
Builder

I am not versed enough in transforms to help you in this regard. Only from personal experience have I, when only a hand full of fields were needed to be renamed, simply used the GUI to alias them.

With props and transforms, it's trial and error, and google searches. I typically import some sample data onto a development stand-alone splunk server and try it out there.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Did you try searching splunkbase for an addon? There are quite many addons out there to help you with your firewall's log fields.

Skalli

0 Karma

Hemnaath
Motivator

hi skalliger thanks for your quick response. I am looking for watchguard application but I did not find any app related to this. So kindly guide me how to write a props/transforms to apply for a field aliases and evals.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi All can any one guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi All could you please guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.

thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...