Hi @hassan1214, here's a few things to check to begin troubleshooting this issue: -Are you running the search in Fast Mode? If so, try running it in Smart Mode. -Are any of the winfw fields being extracted? Or only Splunk internal fields? -Check for any parsing issues in the splunkd.log : index=_internal sourcetype=splunkd log_level!=INFO source=*splunkd.log *winfw* The TA uses the following transforms.conf stanza to extract fields. Please check the content of your pfirewall.log matches this format: DELIMS = " "
FIELDS = date,time,win_action,transport,src,dest,src_port,dest_port,size,tcp_flag,tcpsyn,tcpack,tcpwin,icmptype,icmpcode,info,win_direction
... View more