resently i downloaded Check Point App for Splunk. I configured in input.conf in order to force all Chechpoint devices send their logs to sourcetype cp_log:
sourcetype = cp_log
now i can see all necesary logs in this sourcetype, but if i look at soucetype settings - i can see that there should be many various fields. but i cannot see these fiedls while i perform search. No necesary fields - no output on my Check Point App for Splunk. how to get these fields? or should i extract every field mannually?
But search " sourcetype="cp_log" | table *" returns table with fields that i need, but all of them are empty. Only field "Action" contain whole log text(look at attached picture)