Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sourcetype not applying eval and field alias
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype not applying eval and field alias
ranjitbrhm1
Communicator
01-08-2020
08:57 PM
Hello All, i am trying to customize a sophos TA and i have an issue with EVAL and field alias. My props are like below
[sophos:xg:sys]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
FIELDALIAS-app = application AS app
FIELDALIAS-bytes_in = recv_bytes AS bytes_in
FIELDALIAS-bytes_out = sent_bytes AS bytes_out
FIELDALIAS-dest = dst_ip AS dest
FIELDALIAS-dest_ip = dst_ip AS dest_ip
FIELDALIAS-dest_zone = dstzone AS dest_zone
FIELDALIAS-dest_port = dst_port AS dest_port
FIELDALIAS-dest_translated_ip = tran_dst_ip AS dest_translated_ip
FIELDALIAS-dest_translated_port = dest_translated_port AS dest_translated_port
FIELDALIAS-dvc = host AS dvc
FIELDALIAS-dvc_ip = host AS dvc_ip
FIELDALIAS-packets_in = recv_pkts AS packets_in
FIELDALIAS-packets_out = sent_pkts AS packets_out
FIELDALIAS-signature = message AS signature
FIELDALIAS-src = src_ip AS src
FIELDALIAS-src_translated_port = tran_src_port AS src_translated_port
FIELDALIAS-src_zone = srczone AS src_zone
FIELDALIAS-user = user_name AS user
EVAL-bytes = recv_bytes+sent_bytes
EVAL-log_level = case(priority=="Warning","warn",priority=="Information" OR priority=="Notice","info")
EVAL-packets = recv_pkts+sent_pkts
EVAL-protocol = lower(protocol)
EVAL-transport = lower(protocol)
EVAL-vendor = "Sophos"
EVAL-product = "XG Firewall"
EVAL-vendor_product = "Sophos XG Firewall"
TRANSFORMS-fix_sophos_sourcetype = rewrite_sophos_sourcetype, rewrite_sophos_sourcetypes
[sophos:xg:sysFirewall]
EVAL-action = case(status=="Allow","allowed", status=="Deny","blocked")
EVAL-direction = if((isnotnull(in_interface) AND in_interface!="") AND (isnull(out_interface) OR out_interface==""),"inbound","outbound")
[sophos:xg:IDP]
EVAL-ids_type = "network"
EVAL-action = case(log_subtype=="Drop","blocked")
FIELDALIAS-signature = signature_msg AS signature
I am splitting the sourcetype using a simple regex on the transforms file. The sourcetypes are splitting correctly but the field extractions defined below the sourcetype are not working correctly.
all the field alias and the EVAL defined before the transforms are working correctly as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfreitas
Builder
01-09-2020
02:50 AM
Just to make it clear, are you talking the evals and field alias not working on the new transformed sourcetypes or on the old sourcetype (sophos:xg:sys).
Is there any remaining events with that old sourcetype?
Would be good to have a sample of your transforms.conf just for reference
Get Updates on the Splunk Community!
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
