Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sourcetype not applying eval and field alias

ranjitbrhm1
Communicator
‎01-08-2020 08:57 PM

Hello All, i am trying to customize a sophos TA and i have an issue with EVAL and field alias. My props are like below

[sophos:xg:sys]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
FIELDALIAS-app = application AS app
FIELDALIAS-bytes_in = recv_bytes AS bytes_in
FIELDALIAS-bytes_out = sent_bytes AS bytes_out
FIELDALIAS-dest = dst_ip AS dest
FIELDALIAS-dest_ip = dst_ip AS dest_ip
FIELDALIAS-dest_zone = dstzone AS dest_zone
FIELDALIAS-dest_port = dst_port AS dest_port
FIELDALIAS-dest_translated_ip = tran_dst_ip AS dest_translated_ip
FIELDALIAS-dest_translated_port = dest_translated_port AS dest_translated_port
FIELDALIAS-dvc = host AS dvc
FIELDALIAS-dvc_ip = host AS dvc_ip
FIELDALIAS-packets_in = recv_pkts AS packets_in
FIELDALIAS-packets_out = sent_pkts AS packets_out
FIELDALIAS-signature = message AS signature
FIELDALIAS-src = src_ip AS src
FIELDALIAS-src_translated_port = tran_src_port AS src_translated_port
FIELDALIAS-src_zone = srczone AS src_zone
FIELDALIAS-user = user_name AS user
EVAL-bytes = recv_bytes+sent_bytes
EVAL-log_level = case(priority=="Warning","warn",priority=="Information" OR priority=="Notice","info")
EVAL-packets = recv_pkts+sent_pkts
EVAL-protocol = lower(protocol)
EVAL-transport = lower(protocol)
EVAL-vendor = "Sophos"
EVAL-product = "XG Firewall"
EVAL-vendor_product = "Sophos XG Firewall"
TRANSFORMS-fix_sophos_sourcetype = rewrite_sophos_sourcetype, rewrite_sophos_sourcetypes
[sophos:xg:sysFirewall]
EVAL-action = case(status=="Allow","allowed", status=="Deny","blocked")
EVAL-direction = if((isnotnull(in_interface) AND in_interface!="") AND (isnull(out_interface) OR out_interface==""),"inbound","outbound")
[sophos:xg:IDP]
EVAL-ids_type = "network"
EVAL-action = case(log_subtype=="Drop","blocked")
FIELDALIAS-signature = signature_msg AS signature

I am splitting the sourcetype using a simple regex on the transforms file. The sourcetypes are splitting correctly but the field extractions defined below the sourcetype are not working correctly.
all the field alias and the EVAL defined before the transforms are working correctly as well.

0 Karma
Reply

gfreitas
Builder
‎01-09-2020 02:50 AM

Just to make it clear, are you talking the evals and field alias not working on the new transformed sourcetypes or on the old sourcetype (sophos:xg:sys).
Is there any remaining events with that old sourcetype?
Would be good to have a sample of your transforms.conf just for reference

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...