Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are the extracted values different in the field?

agcorreia
Explorer
‎02-15-2018 11:22 PM

Hi all,
As I'm newbie and trying to figure out an issue with logs coming from a fortigate utm. I have no clue why I see different value from the raw log to the searched query.
Where exactly should I look for this difference? I've been checking field extraction, field aliases and so on but I could not find anything that would change the value. The correct one is "detected" but keep showing "blocked" and I have no idea who configure this before.
Any help would be welcome.
See the attached file.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

agcorreia
Explorer
‎02-16-2018 01:41 AM

I just found out that a lookup csv file were there with different actions.
One column with the action from fortigate with some xxx_action and and other column with action and different types of actions. As soon as I changed the field from blocked at action side to detected, start to show correctly.
Thanks for the attention given.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

agcorreia
Explorer
‎02-16-2018 01:41 AM

I just found out that a lookup csv file were there with different actions.
One column with the action from fortigate with some xxx_action and and other column with action and different types of actions. As soon as I changed the field from blocked at action side to detected, start to show correctly.
Thanks for the attention given.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...