Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sourcetype not applying eval and field alias
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype not applying eval and field alias
ranjitbrhm1
Communicator
01-08-2020
08:57 PM
Hello All, i am trying to customize a sophos TA and i have an issue with EVAL and field alias. My props are like below
[sophos:xg:sys]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
FIELDALIAS-app = application AS app
FIELDALIAS-bytes_in = recv_bytes AS bytes_in
FIELDALIAS-bytes_out = sent_bytes AS bytes_out
FIELDALIAS-dest = dst_ip AS dest
FIELDALIAS-dest_ip = dst_ip AS dest_ip
FIELDALIAS-dest_zone = dstzone AS dest_zone
FIELDALIAS-dest_port = dst_port AS dest_port
FIELDALIAS-dest_translated_ip = tran_dst_ip AS dest_translated_ip
FIELDALIAS-dest_translated_port = dest_translated_port AS dest_translated_port
FIELDALIAS-dvc = host AS dvc
FIELDALIAS-dvc_ip = host AS dvc_ip
FIELDALIAS-packets_in = recv_pkts AS packets_in
FIELDALIAS-packets_out = sent_pkts AS packets_out
FIELDALIAS-signature = message AS signature
FIELDALIAS-src = src_ip AS src
FIELDALIAS-src_translated_port = tran_src_port AS src_translated_port
FIELDALIAS-src_zone = srczone AS src_zone
FIELDALIAS-user = user_name AS user
EVAL-bytes = recv_bytes+sent_bytes
EVAL-log_level = case(priority=="Warning","warn",priority=="Information" OR priority=="Notice","info")
EVAL-packets = recv_pkts+sent_pkts
EVAL-protocol = lower(protocol)
EVAL-transport = lower(protocol)
EVAL-vendor = "Sophos"
EVAL-product = "XG Firewall"
EVAL-vendor_product = "Sophos XG Firewall"
TRANSFORMS-fix_sophos_sourcetype = rewrite_sophos_sourcetype, rewrite_sophos_sourcetypes
[sophos:xg:sysFirewall]
EVAL-action = case(status=="Allow","allowed", status=="Deny","blocked")
EVAL-direction = if((isnotnull(in_interface) AND in_interface!="") AND (isnull(out_interface) OR out_interface==""),"inbound","outbound")
[sophos:xg:IDP]
EVAL-ids_type = "network"
EVAL-action = case(log_subtype=="Drop","blocked")
FIELDALIAS-signature = signature_msg AS signature
I am splitting the sourcetype using a simple regex on the transforms file. The sourcetypes are splitting correctly but the field extractions defined below the sourcetype are not working correctly.
all the field alias and the EVAL defined before the transforms are working correctly as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gfreitas
Builder
01-09-2020
02:50 AM
Just to make it clear, are you talking the evals and field alias not working on the new transformed sourcetypes or on the old sourcetype (sophos:xg:sys).
Is there any remaining events with that old sourcetype?
Would be good to have a sample of your transforms.conf just for reference
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
