×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
biroby
Engager
Member since: ‎02-05-2026
‎02-05-2026
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-05-2026
Activity Feed
Topics I've Started
View All

Re: Linux firewalld TA

by in Splunk Enterprise Security
‎02-05-2026 11:38 PM
‎02-05-2026 11:38 PM
Hi @livehybrid , thanks for your post. The problem is case on multiline; after I updated my props.conf in a single line all running as expected. ... View more

Linux firewalld TA

by in Splunk Enterprise Security
‎02-05-2026 02:45 AM
‎02-05-2026 02:45 AM
Hello community, I'm new to Splunk Custom TA and would like to collect the Linux firewall log. I've searched the web to see if anyone has already done this, but I can't find anything. I created a TA structure, but I have a problem: the PROTO field in the log can be numeric or string (I find TCP, UDP, or 1, 2, 47, etc.) and I want everything to be a descriptive string placed in the "transport" field. I added this code to the props.conf, but it doesn't seem to work: # ------------------------------- # Normalize transport (numeric + string proto) # ------------------------------- EVAL-transport = case( lower(proto)=="tcp" OR proto=="6", "tcp", lower(proto)=="udp" OR proto=="17", "udp", lower(proto)=="icmp" OR proto=="1", "icmp", lower(proto)=="igmp" OR proto=="2", "igmp", proto=="47", "gre", proto=="50", "esp", proto=="51", "ah", lower(proto)=="icmp6" OR proto=="58", "icmp", proto=="89", "ospf", proto=="108", "ipip", proto=="112", "vrrp", proto=="115", "l2tp", proto=="132", "sctp", proto=="137", "mpls", true(), "unknown" ) If I use the single EVAL instead, it works: EVAL-transport = lower(proto) Could you help me? Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-05-2026 11:36 PM