Hi there,

Here's what I've gathered:

Potential Reasons for Override:

• Consistency: OneIdentity might strive for consistent parameter naming across its apps and transforms, aligning with internal conventions or broader Splunk best practices.
• Functionality: Specific features or integrations within the OneIdentity-Safeguard app might necessitate these parameter names for proper operation.
• Security Considerations: Potential security enhancements or data handling requirements could be driving the parameter name modifications.

Next Steps:

1. Consult Documentation: Thoroughly review the OneIdentity-Safeguard app's documentation for any explicit explanations regarding the parameter name changes.
2. Reach Out to OneIdentity: If documentation doesn't provide clarity, engage OneIdentity's support or community forums for direct answers from experts.
3. Adapt Searches: Adjust your existing Splunk searches and dashboards to accommodate the new parameter names (e.g., using ip instead of clientip).

Additional Considerations:

• Customizations: If you've made custom modifications to the dnslookup transform, carefully review and update them to align with the new parameter names.
• Third-Party Apps: If you're using third-party apps that rely on the dnslookup transform, ensure compatibility with the updated parameter names.

Key Points:

• It's crucial to understand the rationale behind such changes to ensure smooth integration with other apps and maintain data integrity.
• Collaboration with OneIdentity or their community can provide valuable insights and best practices.
• Proactive adaptation of searches and configurations will maintain the functionality of your Splunk environment.

~ If the reply helps, a Karma upvote would be appreciated