Splunk Phantom

Issue to Map fields between QRadar and Phantom

New Member

Hello,

I'm using the QRadar integration on Phantom, and we can define the mapping between Phantom and QRadar.
I got an issue when i tried to map fields, so the map works correctly for generic field (QID, username, sourceip, etc...) and Custom Fields that doesn't containing space character, for example "EventID". But when i tried to map custom field that contain a space character like "Domain Name", the mapping doesn't work.
Someone got the same issue than me ?

Thank you in advance,
Regards,
Florian

Labels (1)
Tags (3)
0 Karma

New Member

Comma separated list of field names. Shouldn't double quotes be used if the field name contains spaces?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!