Splun is unable to identify the souce IP of the firewall from this log.
Jun 24 14:17:42 10.0.59.59 id=firewall sn=0017C569F354 time="2013-06-24 14:17:42" fw=10.0.59.59 pri=6 c=1024 m=537 msg="Connection Closed" app=49176 sess=Web n=3636758 usr="admin" src=10.103.62.80:29341:X1 dst=10.0.59.59:80:X1 proto=tcp/http sent=791 rcvd=3742

The correct source IP should be 10.0.59.59 which you can see in "fw=10.0.59.59". You can also see it just after the date/time stamp at the beginning of the line. So the data is duplicated. This is because Splunk can't find the value in the log line so it adds one automatically.

I got some help but was unable to make it work. Here is my props.conf file

[sonicwall]
# in addition to other things add
TRANSFORMS-host = host_for_sonicwall

here is my transforms.conf file

[host_for_sonicwall]
DEST_KEY = MetaData:Host
REGEX = fw=[0-9.]
FORMAT = host::$1

When I look at the search area of splunk the host is showing up as "host=$1". It looks like it is not doing the substitution from the "FORMAT = host::$1" line.