Having only splunk stream show "$decideOnStartup" in the hostname of events, while other inputs correctly reflect the real hostname is a known bug in version 7.3.0 and earlier  https://docs.splunk.com/Documentation/StreamApp/7.3.0/ReleaseNotes/Knownissues  Issue ID: STREAM-4641, STREAM-4635 When I installed version 7.4.0 and this problem vanished for my system.     ... View more

The Checkpoint App produced, published and supported by the vendor (https://splunkbase.splunk.com/app/4293/) breaks CIM compatibility for the action field.   Recommend opening issue with Checkpoint and have them reference the lookup performed on the action field done by the legacy app Check Point Splunk CIM TA (https://splunkbase.splunk.com/app/4629/) which correctly handles the action field to make it CIM compliant. Net result is that some checkpoint events processed by the vendor will not be found when searching for the 4 allowed values of "allowed, blocked, dropped,unknown”. ... View more