Solved: Why are the extracted values different in the fiel...

agcorreia · ‎02-15-2018

Hi all,
As I'm newbie and trying to figure out an issue with logs coming from a fortigate utm. I have no clue why I see different value from the raw log to the searched query.
Where exactly should I look for this difference? I've been checking field extraction, field aliases and so on but I could not find anything that would change the value. The correct one is "detected" but keep showing "blocked" and I have no idea who configure this before.
Any help would be welcome.
See the attached file.

agcorreia · ‎02-16-2018

I just found out that a lookup csv file were there with different actions.
One column with the action from fortigate with some xxx_action and and other column with action and different types of actions. As soon as I changed the field from blocked at action side to detected, start to show correctly.
Thanks for the attention given.

View solution in original post

agcorreia · ‎02-16-2018

I just found out that a lookup csv file were there with different actions.
One column with the action from fortigate with some xxx_action and and other column with action and different types of actions. As soon as I changed the field from blocked at action side to detected, start to show correctly.
Thanks for the attention given.

Why are the extracted values different in the field?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!