I have an index called firewall and sourcetypes of Palo Alto, Checkpoint and Fortinet routers
The configuration was carried out according to the documentation recommendations regarding recommended sourcertype and Add-on according to the vendor
The "action" type fields that are accepted have different names depending on the brand of the device
Those that are accepted are:
allowed
accept
Authorize
pass
Taking into account that "accept" and "allowed" mean the same thing, should I normalize them? or as they are already recognized by the correlation events that Splunk ES has created?
Aliases create new fields with different names, but the same values so they won't help normalize values. Use eval.
EVAL action=if(action="accept" OR action="Authorize" OR action="pass", "allowed", action)
Splunk ES expects normalized field values as documented in the Common Information Model (CIM). The TAs for those sources should have normalized the fields for you, but if they did not (or you don't use TAs) then you'll have to do so.
should I do it through aliases?
Aliases create new fields with different names, but the same values so they won't help normalize values. Use eval.
EVAL action=if(action="accept" OR action="Authorize" OR action="pass", "allowed", action)
@richgalloway Last question, what is the correct way to normalize it in this case?