Security
Highlighted

How to write props & transforms to apply for field aliases and evals for a firewall device.

Motivator

Hi All, Kindly guide me on how to write a props and transforms to apply for a field aliases and evals for a firewall devices,using CIM Network data model. The below are the list of fields that are available in the firewall events.

interesting fields

date_hour

date_mday

date_minute

@date_month

date_second

@date_wday

date_year

@date_zone
@disp
@dst

dstport

@eventtype
@in_if
@index

ip_len

ip_TTL

lineCount

@outif
@policy
@proto
@punct
@serial
@splunk
server
@src

srcPort

@tag
@tag::eventtype

timeendpos

timestartops

I had gone through the below CIM Network Traffic Model but not sure how to start and what to write in the props.conf and transforms.conf. Kindly guide me on this.

https://docs.splunk.com/Documentation/CIM/4.8.0/User/NetworkTraffic

0 Karma
Highlighted

Re: How to write props & transforms to apply for field aliases and evals for a firewall device.

SplunkTrust
SplunkTrust

Did you try searching splunkbase for an addon? There are quite many addons out there to help you with your firewall's log fields.

Skalli

0 Karma
Highlighted

Re: How to write props & transforms to apply for field aliases and evals for a firewall device.

Motivator

hi skalliger thanks for your quick response. I am looking for watchguard application but I did not find any app related to this. So kindly guide me how to write a props/transforms to apply for a field aliases and evals.

thanks in advance.

0 Karma
Highlighted

Re: How to write props & transforms to apply for field aliases and evals for a firewall device.

Motivator

Hi All can any one guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.

thanks in advance.

0 Karma
Highlighted

Re: How to write props & transforms to apply for field aliases and evals for a firewall device.

Motivator

Hi All could you please guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.

thanks in advance.

0 Karma
Highlighted

Re: How to write props & transforms to apply for field aliases and evals for a firewall device.

Builder

It might be easier for you to use the GUI to just alias out fields by sourcetype there.

https://[yoursplunkURL]/en-US/manager/search/data/props/fieldaliases

0 Karma
Highlighted

Re: How to write props & transforms to apply for field aliases and evals for a firewall device.

Motivator

Hi Duke, I had written field aliases for some of the fields by comparing the fields in the events and the fields which are similar in the CIM Network traffic .

Example :

For field name = dst Field aliases equivalent to this after comparing with CIM Network traffic is
FIELDALIAS-destipforwatchguard = dst AS destip

My question what to write for props/transforms to apply for a field aliases and evals. Kindly guide me on this.

thanks in advance.

0 Karma
Highlighted

Re: How to write props & transforms to apply for field aliases and evals for a firewall device.

Builder

I am not versed enough in transforms to help you in this regard. Only from personal experience have I, when only a hand full of fields were needed to be renamed, simply used the GUI to alias them.

With props and transforms, it's trial and error, and google searches. I typically import some sample data onto a development stand-alone splunk server and try it out there.

0 Karma