Weird issue here where all fields are being mapped besides possibly the most important ones (src_ip and dest_ip). Not sure what I could do to make these field appear, so I thought I'd post it here. Let me know if you have any suggestions.
I assume you are using https://splunkbase.splunk.com/app/1808 and https://splunkbase.splunk.com/app/3662/ . The later collects the data [ has CIM fields as well] and we will need following rename in local/props.conf on the later app to use cisco:sourcefire sourcetypes and CIM fields. You will then have src/src_ip/dest/dest_ip. Additionally, if you know your source and dest are IPs, you can alias or coalesce them to map to src_ip and dest_ip.
//props.conf
