All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Proofpoint On Demand Email Security Add-on: How do you set action in Email CIM?

jwhughes58
Contributor
‎04-22-2019 11:44 AM

One of the fields in the Email CIM is action. From the Proofpoint-On-Demand pps_messagelog I want to change final_action to action. I've tried using the below in TA-pps_ondemand/local/props.conf

FIELDALIAS-pod_final_action = final_action AS action

and

EVAL-action = final_action

The field alias didn't do anything. The eval caused an error when I tried to deploy. The version of Splunk is 7.2.5.1 installed on-site. Frankly I'm baffled by this one. Either works if I have it in the SPL in search. Any suggestions?

TIA,
Joe

0 Karma
Reply

lakshman239
Influencer
‎04-23-2019 01:35 AM

If you run your search like this for say last 24 hours index=your_index sourcetype=yoursourcetype | fillnull value="N/A" final_action | stats count by final_action , are you seeing all values from your TA? Pls check if those values are similar to what is expected in the https://docs.splunk.com/Documentation/CIM/4.13.0/User/Email for 'action'. If your TA produces same values, you can just do an alias like what you have done, else, you may need to use the EVAL-action and check for values and map them to what's expected in CIM, using if/else or case statement in your local/props.conf

0 Karma
Reply

woodcock
Esteemed Legend
‎04-22-2019 08:09 PM

Your statement is ambiguous. Are you trying to take an existing field in your data and create another field with a different name and the same value? If so, which name is which? If not, be more clear in what exactly you are needing to do.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...