Hi All, Kindly guide me on how to write a props and transforms to apply for a field aliases and evals for a firewall devices,using CIM Network data model. The below are the list of fields that are available in the firewall events.
interesting fields
@date_month
@date_wday
@date_zone
@disp
@dst
@eventtype
@in_if
@index
@out_if
@policy
@proto
@punct
@serial
@splunk_server
@src
@tag
@tag::eventtype
I had gone through the below CIM Network Traffic Model but not sure how to start and what to write in the props.conf and transforms.conf. Kindly guide me on this.
https://docs.splunk.com/Documentation/CIM/4.8.0/User/NetworkTraffic
It might be easier for you to use the GUI to just alias out fields by sourcetype there.
https://[yoursplunkURL]/en-US/manager/search/data/props/fieldaliases
Hi Duke, I had written field aliases for some of the fields by comparing the fields in the events and the fields which are similar in the CIM Network traffic .
Example :
For field name = dst Field aliases equivalent to this after comparing with CIM Network traffic is
FIELDALIAS-dest_ip_for_watchguard = dst AS dest_ip
My question what to write for props/transforms to apply for a field aliases and evals. Kindly guide me on this.
thanks in advance.
I am not versed enough in transforms to help you in this regard. Only from personal experience have I, when only a hand full of fields were needed to be renamed, simply used the GUI to alias them.
With props and transforms, it's trial and error, and google searches. I typically import some sample data onto a development stand-alone splunk server and try it out there.
Did you try searching splunkbase for an addon? There are quite many addons out there to help you with your firewall's log fields.
Skalli
hi skalliger thanks for your quick response. I am looking for watchguard application but I did not find any app related to this. So kindly guide me how to write a props/transforms to apply for a field aliases and evals.
thanks in advance.
Hi All can any one guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.
thanks in advance.
Hi All could you please guide me on how to write a props/transforms to apply for a field aliases and evals for firewall events.
thanks in advance.