Hi All,

I am facing an issue with logs from juniper SRX and ES. I am pretty new to splunk, i am hoping the answer would be an easy one to this.

I have a field called protocol-id with numeric values for the protocols e.g. 1,6,17 which are actually ICMP, TCP and UDP respectively. ES doesn't recognize the numeric values and in the ports and protocol dashboard.

I did the following but it's not working:

1. Created a csv with field "id, transport" which would correlate the numeric values to their respective protocols e.g 1-icmp, 6-tcp etc
2. Imported the csv in "lookup table files" and created the "lookup definitions"
3. Created Automatic lookup with source=juniper and Lookup input field "protocol_id" and Lookup output field as "transport"
4. All of this was done on the heavy forwarder, since i want this field to be populated at the forwarder or the index level before it reaches the ES.

Please let me know if this is the correct way or should i use another strategy.

Thanks!