All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Check Point OPSEC LEA: Why is the src field not consistent?

Federica_92
Communicator
‎04-12-2016 03:07 AM

Hi everyone,

I am getting ids checkpoint logs in Splunk through the Splunk Add-on for Check Point OPSEC LEA. Looking at the raw logs, I can correctly see src=x.x.x.x, but clicking on the field above, it changes the value of the src ( or src_ip) field with the value of origin. I tried to manually extract the field, but it doesn't allow me to do it. (Everything is set as global, and I don't have any permission issues)

I had a look on the props/transforms file, but I wasn't able to locate the point where this happens.

0 Karma
Reply

mikelanghorst
Motivator
‎04-12-2016 10:58 AM

I can't explain why it was decided to have this field alias, but it's within the [opsec:ips] stanza

[opsec:ips]
...
FIELDALIAS-dvc_for_opsec                        = orig as dvc, orig as dvc_ip
FIELDALIAS-signature_for_ips                     = Protection_Name as signature
FIELDALIAS-src_for_opsec                        = orig as src, orig as src_ip

I'm not sure if the source formatting has changed or ??

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...