Splunk TA-eStreamer v5.1.9: props.conf "action" not populating for firewall traffic.
Opened this issue · 0 comments
s33butler commented
Splunk TA-eStreamer v5.1.9: props.conf "action" not populating for firewall traffic.
props.conf
Sourcetype
[cisco:estreamer:data]
Lookups
#LOOKUP-estreamer_fw_action = fw_actions fw_rule_action OUTPUT fw_action
The lookup is "commented" out... though it would not solve the issue as the OUTPUT is fw_action
Possible solutions...
Option 1: remove comment and action instead of fw_action
LOOKUP-estreamer_fw_action = fw_actions fw_rule_action OUTPUT action
Option 2: remove comment and if fw_action is needed
LOOKUP-estreamer_fw_action = fw_actions fw_rule_action OUTPUT fw_action
Splunk CIM - Network Traffic Fields
FIELDALIAS-estreamer_fw_action2 = fw_action AS action
Supporting doc
https://docs.splunk.com/Documentation/CIM/5.1.0/User/NetworkTraffic