Hi Guys,
I am currently facing an issue with ES which seems to be originating from renaming custom sourcetype names to Splunk TA’s expected ones. Seeking for some thoughts.
My client is forcing a custom sourcetype naming convention for each sources at inputs time. These sourcetypes names are different from the ones expected by some Splunk, out of the box, TA's add-on. In order to leverage the CIM mappings provided by the Splunk TA's, we have configured sourcetype renaming at search time in props.conf so that all mappings, field extraction, tagging... are applied seamlessly in Enterprise security.
(Let’s take Splunk_TA_oracle as an example going forward)
When searching from enterprise security, the custom sourcetype for oracle audit logs is successfully renamed to "oracle:audit:text" and all database events are coming up with correct field extractions, mapping to CIM (Including eventtypes and tags). However when searching by tag (e.g. tag=authentication), these event that were successfully tagged as “authentication” in the previous result set do not come up. This is a problem since the population of the CIM data model is based on the tags.....
The authentication data model and therefore ES doesn’t pick up these authentication events.
Would you know what the reason is and is there a workaround?
Kind regards,
Vincent
... View more