Hi,  Following up on the above discussion, has anyone else discovered that there are quite a few instances where the "incident_id" field is blank in the mc_notes lookup? The other fields (autor.username, create_time and content) contain the correct information but there is nothing in incident_id. Makes it a bit difficult to match the note to the corresponding incident 🙂 ... View more

I forgot to mention that . I have renderXML=true in the inputs. So I get the XML data, just looking for the best way to extract all the fields automatically. ... View more

Since upgrading Splunk to 6.5 this problem has gone away for me. Not the quick and easy fix, but we were planning to upgrade anyway. ... View more

Actually, this was relevant but hidden by the typo I had in one of the transforms stanzas. ... View more

You are absolutely right. DST_KEY was one of the problems. ... View more

Yes, I've tried that. Same result though. ... View more

Iforgot to mention. This is 4.1.0 on Splunk 6.5 ... View more

Maybe I shouldn't answer myself, but since this i a rather large post I'll take a chance. After some digging, its seems like Splunk or the LEA system actually records the logs from Checkpoint three times. Here is a log record from Checkpoint Tracker, I've removed addresses etc.: And the same record when exported with fw log ( I had to slightly modify the format): 31Oct2016 10:00:00 allow removed-ip eth2-01.111 src:removed-ip;dst:193.212.4.120;proto:tcp;appi_name:Google Keep;app_desc:Google Keep is a note-taking service. Google Keep allows to write notes and color code them, to take pictures and record your voice. Supported from: R75.40.;app_id:60460461;app_category:Business Applications;matched_category:Business Applications;app_properties:SSL Protocol, Very Low Risk, Business Applications;app_risk:1;app_rule_id:{0EF98E02-F296-4AAB-AB87-F618F933362F};app_rule_name:default-ut;web_client_type:Other: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko;app_sig_id:60460461:6;resource:http://clients4.google.com/invalidation/lcs/request;proxy_src_ip:removed-ip;bytes:2357;sent_bytes:1984;received_bytes:373;browse_time:0:00:01;Suppressed logs:1;Referrer_self_uid:{58170810-0000-0000-8496-39100C0000C0};user:fjernet;src_user_name:fjernet;snid:51bfa9cd;product:Application Control;service:80;s_port:38975;product_family:Network While in Splunk the same log looks like this: The records in Splunk look the same, except for the "loc=" part and the fact that they are cut off at different points. The middle one seems to be the correct one in this sample, while the top and bottom ones are missing data. Does anyone have a suggestion to where to start looking to figure this out? Thanks. ... View more

Splunk Enterprise 6.4.3 An it does not look like this text is part of the CIM app: [splunk@search1 Splunk_SA_CIM]$ find . -type f | xargs grep "Legend" [splunk@search1 Splunk_SA_CIM]$ Also, the only place I've found the whole string (in text files) is in $SPLUNK_HOME/lib/python2.7/site-packages/splunk/appserver/mrsparkle/controllers/admin.py: [splunk@search1 lib]$ find . -type f | xargs grep "I am Legend" ./python2.7/site-packages/splunk/appserver/mrsparkle/controllers/admin.py: "legend" : block.get("title", "I am Legend"), It's actually part of this definition: def generateUIHelperFromEntity(self, entity, namespace='search'): uiHelper = {} uiHelper["header"] = "%s setup" % namespace uiHelper["elements"] = [] hasInputElements = False setupXml = entity.get("eai:setup", None) # logger.debug(setupXml) import xml.etree.cElementTree as et root = et.fromstring(setupXml) block_nodes = root.findall('block') i = 0 for block in block_nodes: # Refer to JIRA STEWIE-531 for the all details regarding this change !! # code below allows apps to have setup.xml to define a custom setup UI, example of setup.xml below: # <setup><block task="mycustomsetupui" type="redirect"/></setup> # Pickup the custom partial URL from task attribute of block and redirect to custom setup ui # <locale>/app/<app-name>/<value of task attribute>?redirect_to_custom_setup=1 # Look in view.py for consumption of redirect_to_custom_setup query param, which is used to bypass # the setup dialog !! if 'task' in block.attrib and 'type' in block.attrib and block.attrib['type'] == 'redirect': redirect_to = '/app/%s/%s' % (namespace, block.attrib['task']) logger.info("Redirecting to custom setup for app=%s url=%s" % (namespace, redirect_to)) self.redirect_to_url(redirect_to, _qs={"redirect_to_custom_setup":"1"}) return fieldsetElement = { "elementName" : "blockFieldset-%s" % i, "showInView" : [ "edit" ], "type" : "fieldset", "legend" : block.get("title", "I am Legend"), "elements" : [] } j = 0 for node in block: # go through everything in the block and add to this fieldset logger.debug(node.tag) if node.tag == "text": # for <text> nodes, put them into a type: helpstring element = { "elementName" : "textNode-%s-%s" % (i, j), "type" : "helpstring", "helpText" : node.text, "showInView" : [ "edit" ] } fieldsetElement["elements"].append(element) elif node.tag == "input": # for <input> nodes, put them into the appropriate type per the input type = node.find("type").text if type == "bool": elementType = "checkbox" elif type == 'password': elementType = "password" else: elementType = "textfield" elementLabel = node.find("label").text element = { "elementName" : node.get("id"), "type" : elementType, "label" : elementLabel, "showInView" : [ "edit" ] } fieldsetElement["elements"].append(element) hasInputElements = True j = j + 1 uiHelper["elements"].append(fieldsetElement) i = i + 1 if not hasInputElements: uiHelper["_noInputElements"] = True return uiHelper ... View more

This is on Splunk Enterprise 6.4.3, so that should not be the problem. ... View more

Thank you! This worked fine. The resource field is cleand up, and the pipes removed. And the URl still works if needed for some reason. ... View more

Hi, thanks for thew suggestion. I'm not sure if I easily can get the app to read the fw1-loggrabber.conf file. It does not by default. Any suggestions on how I can get Splunk to ignore escaped field separators? eg. "|" ... View more

Hi, of course 🙂 Just missed that last time 😞 The opsec app is installed on the indexers and search head plus on a heavy forwarder that is doing the actual collection from the Checkpoint system. Also, the config is not changed apart form the testing with different data formats in fw1-loggrabber.conf that I mentioned above. ... View more

Yes the the default/props.conf file contains what you mention. But still loc=4292529|time=22May2014 0:26:54|action=accept|src=132.150.245.122|s_port=58730|dst=132.150.7.52|service=53|proto=udp is indexed as occuring on todays date, but with correct time. (I've tried using both DATEFORMAT="cp" (the default) and DATEFORMAT="std" in fw1-loggrabber.conf. In both cases the time is indexed properly, but the date is ignored and set to the date at indexing time) ... View more

There already is an answer, but just to make the information complete: splunk-add-on-for-check-point-opsec-lea-linux_210.tgz And I have tested with both Firefox and IE 10 ... View more

Thanks for the tip on kv_mode. I was starting to look in that direction myself. It's going to be a bit time consuming I think, but I'll see what I can do. I can always hope that the "official" app is updated 🙂 ... View more