Setting the sourcetype to syslog was a big help, thank you! I found the field aliases are not working in Splunk 7.3.1. I was able to resolve many of the dashboards by changing vendor_action to action in the saved searches. Still seeing some strange behavior with blocked traffic chart and table (both are empty) although the allowed chart and table work fine. Not sure how to resolve as the search is similar in both other than the action type. Did run the search alone and the data is there.
... View more