Security

How to write props & transforms to apply for field aliases and evals for a firewall device.

Hemnaath
Motivator

Hi All, Kindly guide me on how to write a props and transforms to apply for a field aliases and evals for a firewall devices,using CIM Network data model. The below are the list of fields that are available in the firewall events.

interesting fields

date_hour

date_mday

date_minute

@date_month

date_second

@date_wday

date_year

@date_zone
@disp
@dst

dstport

@eventtype
@in_if
@index

ip_len

ip_TTL

lineCount

@out_if
@policy
@proto
@punct
@serial
@splunk_server
@src

srcPort

@tag
@tag::eventtype

timeendpos

timestartops

I had gone through the below CIM Network Traffic Model but not sure how to start and what to write in the props.conf and transforms.conf. Kindly guide me on this.

https://docs.splunk.com/Documentation/CIM/4.8.0/User/NetworkTraffic

0 Karma

JDukeSplunk
Builder

It might be easier for you to use the GUI to just alias out fields by sourcetype there.

https://[yoursplunkURL]/en-US/manager/search/data/props/fieldaliases

0 Karma

Hemnaath
Motivator

Hi Duke, I had written field aliases for some of the fields by comparing the fields in the events and the fields which are similar in the CIM Network traffic .

Example :

For field name = dst Field aliases equivalent to this after comparing with CIM Network traffic is
FIELDALIAS-dest_ip_for_watchguard = dst AS dest_ip

My question what to write for props/transforms to apply for a field aliases and evals. Kindly guide me on this.

thanks in advance.

0 Karma

JDukeSplunk
Builder

I am not versed enough in transforms to help you in this regard. Only from personal experience have I, when only a hand full of fields were needed to be renamed, simply used the GUI to alias them.

With props and transforms, it's trial and error, and google searches. I typically import some sample data onto a development stand-alone splunk server and try it out there.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Did you try searching splunkbase for an addon? There are quite many addons out there to help you with your firewall's log fields.

Skalli

0 Karma

Hemnaath
Motivator

hi skalliger thanks for your quick response. I am looking for watchguard application but I did not find any app related to this. So kindly guide me how to write a props/transforms to apply for a field aliases and evals.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi All can any one guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi All could you please guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.

thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...