- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: How to write props & transforms to apply for f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write props & transforms to apply for field aliases and evals for a firewall device.
Hi All, Kindly guide me on how to write a props and transforms to apply for a field aliases and evals for a firewall devices,using CIM Network data model. The below are the list of fields that are available in the firewall events.
interesting fields
date_hour
date_mday
date_minute
@date_month
date_second
@date_wday
date_year
@date_zone
@disp
@dst
dstport
@eventtype
@in_if
@index
ip_len
ip_TTL
lineCount
@out_if
@policy
@proto
@punct
@serial
@splunk_server
@src
srcPort
@tag
@tag::eventtype
timeendpos
timestartops
I had gone through the below CIM Network Traffic Model but not sure how to start and what to write in the props.conf and transforms.conf. Kindly guide me on this.
https://docs.splunk.com/Documentation/CIM/4.8.0/User/NetworkTraffic
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be easier for you to use the GUI to just alias out fields by sourcetype there.
https://[yoursplunkURL]/en-US/manager/search/data/props/fieldaliases
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Duke, I had written field aliases for some of the fields by comparing the fields in the events and the fields which are similar in the CIM Network traffic .
Example :
For field name = dst Field aliases equivalent to this after comparing with CIM Network traffic is
FIELDALIAS-dest_ip_for_watchguard = dst AS dest_ip
My question what to write for props/transforms to apply for a field aliases and evals. Kindly guide me on this.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not versed enough in transforms to help you in this regard. Only from personal experience have I, when only a hand full of fields were needed to be renamed, simply used the GUI to alias them.
With props and transforms, it's trial and error, and google searches. I typically import some sample data onto a development stand-alone splunk server and try it out there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try searching splunkbase for an addon? There are quite many addons out there to help you with your firewall's log fields.
Skalli
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi skalliger thanks for your quick response. I am looking for watchguard application but I did not find any app related to this. So kindly guide me how to write a props/transforms to apply for a field aliases and evals.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All can any one guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All could you please guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.
thanks in advance.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
