Splunk Search

sourcetype not applying eval and field alias


Hello All, i am trying to customize a sophos TA and i have an issue with EVAL and field alias. My props are like below

FIELDALIAS-app = application AS app
FIELDALIAS-bytes_in = recv_bytes AS bytes_in
FIELDALIAS-bytes_out = sent_bytes AS bytes_out
FIELDALIAS-dest = dst_ip AS dest
FIELDALIAS-dest_ip = dst_ip AS dest_ip
FIELDALIAS-dest_zone = dstzone AS dest_zone
FIELDALIAS-dest_port = dst_port AS dest_port
FIELDALIAS-dest_translated_ip = tran_dst_ip AS dest_translated_ip
FIELDALIAS-dest_translated_port = dest_translated_port AS dest_translated_port
FIELDALIAS-dvc = host AS dvc
FIELDALIAS-dvc_ip = host AS dvc_ip
FIELDALIAS-packets_in = recv_pkts AS packets_in
FIELDALIAS-packets_out = sent_pkts AS packets_out
FIELDALIAS-signature = message AS signature
FIELDALIAS-src = src_ip AS src
FIELDALIAS-src_translated_port = tran_src_port AS src_translated_port
FIELDALIAS-src_zone = srczone AS src_zone
FIELDALIAS-user = user_name AS user
EVAL-bytes = recv_bytes+sent_bytes
EVAL-log_level = case(priority=="Warning","warn",priority=="Information" OR priority=="Notice","info")
EVAL-packets = recv_pkts+sent_pkts
EVAL-protocol = lower(protocol)
EVAL-transport = lower(protocol)
EVAL-vendor = "Sophos"
EVAL-product = "XG Firewall"
EVAL-vendor_product = "Sophos XG Firewall"
TRANSFORMS-fix_sophos_sourcetype = rewrite_sophos_sourcetype, rewrite_sophos_sourcetypes
EVAL-action = case(status=="Allow","allowed", status=="Deny","blocked")
EVAL-direction = if((isnotnull(in_interface) AND in_interface!="") AND (isnull(out_interface) OR out_interface==""),"inbound","outbound")
EVAL-ids_type = "network"
EVAL-action = case(log_subtype=="Drop","blocked")
FIELDALIAS-signature = signature_msg AS signature

I am splitting the sourcetype using a simple regex on the transforms file. The sourcetypes are splitting correctly but the field extractions defined below the sourcetype are not working correctly.
all the field alias and the EVAL defined before the transforms are working correctly as well.

0 Karma


Just to make it clear, are you talking the evals and field alias not working on the new transformed sourcetypes or on the old sourcetype (sophos:xg:sys).
Is there any remaining events with that old sourcetype?
Would be good to have a sample of your transforms.conf just for reference

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...