dvc field is determined inconsistently across sourcetypes
MonkeyKa opened this issue · 0 comments
Describe the bug
Have noticed that for pan:traffic, uses the value in dvc_name for dvc while pan:threat, pan:config, and pan:system use the host field
this creates an inconsistent summary and search experience across logs
Expected behavior
I would expect dvc to be the same for the same device across all sourcetypes
Current behavior
for all sourcetypes other than pan:traffic, an alias is currently being used to alias host to dvc
for pan:traffic, a calculated field is being used to pick the first available between dvc_name and host
coalesce(dvc_name, host)
since dvc_name is part of the standard syslog, that is what is used
some sourcetypes do not have the dvc or dvc_name field.
Possible solution
either alias dvc for all sourcetype to dvc_name or alias them all to host
Steps to reproduce
- can visualize the difference in Splunk with "index=pan_logs | dedup sourcetype | table sourcetype dvc dvc_name host|head 10
Context
Some Splunk users who've counted on the dvc field are complaining to me about existing correlation searches not working
Your Environment
- Version used:
- Splunk Enterprise Version: 8.2.2
- Splunk_TA_paloalto | 7.1.0