I am facing a challenging issue with the CISCO WSA Add-on version 3.3.0, what happens is that I can not use/rename/EXTRACT/FIELDALIAS/COALESCE to get src_ip field into src from one location. As a reference, I am receiving wsa logs from two different sources/location, and both have the same configuration/OS version, however, if the wsa data comes from location A, the src field works fine with a FIELDALIAS, but if the wsa data comes from location B, the src field never appears, even if I apply a FIELDALIAS or any other action. Same Add-on applies for both locations.
Any idea will be highly appreciate it.
Current Splunk version: 7.3.4
... View more