Mapping field values to allowed valued for Enterpr...

shayhibah · ‎01-12-2020

Hi,

in my logs I have field named 'action' with the following possible values: detect, prevent, redirect.
In order to integrate with Enterprise Security, the allowed values for this field are: allowed or blocked.

I edited my props.conf and added new EVAL command with the same field name 'action' (EVAL-action = ...).

This change affect the way my app users will need to look for their data.
In past, they used to search for "action=prevent" while after this change, this query has no results at all since the value has changed to "blocked".
Moreover, in the raw events, action field contains my own values (detect, prevent, redirect) and not the new ones so its a bit confusing.

Is this how I need to map my field values into ES values?

lakshman239 · ‎02-24-2020

As the raw values contain (detect, prevent, re-direct), do you have TA/code that extracts these field values to a field called 'action'?. If so, your EVAL-action is overriding it.

My suggestion would be to have 2 fields, say 'vendor_action' and let it extract and have values like detect, prevent, re-direct. Then have another field extraction, say EVAL-action=.... map your logic to get 'allowed' and 'blocked'

The users can use vendor_action, if they want it specifically and CIM will have happy with 'action'.

Mapping field values to allowed valued for Enterprise Security (CIM Data Models)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation