Splunk Search

Why are the extracted values different in the field?

Explorer

Hi all,
As I'm newbie and trying to figure out an issue with logs coming from a fortigate utm. I have no clue why I see different value from the raw log to the searched query.
Where exactly should I look for this difference? I've been checking field extraction, field aliases and so on but I could not find anything that would change the value. The correct one is "detected" but keep showing "blocked" and I have no idea who configure this before.
Any help would be welcome.
See the attached file.

0 Karma
1 Solution

Explorer

I just found out that a lookup csv file were there with different actions.
One column with the action from fortigate with some xxx_action and and other column with action and different types of actions. As soon as I changed the field from blocked at action side to detected, start to show correctly.
Thanks for the attention given.

View solution in original post

0 Karma

Explorer

I just found out that a lookup csv file were there with different actions.
One column with the action from fortigate with some xxx_action and and other column with action and different types of actions. As soon as I changed the field from blocked at action side to detected, start to show correctly.
Thanks for the attention given.

View solution in original post

0 Karma