Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add a new field in indexing time from data received via HEC

corti77
Communicator
‎10-31-2023 07:52 AM

Hi,

I am using Splunk 9.0.6, and I configured HEC + Syslog Connector for Splunk for the data ingestion.

At the moment, I receive events from our two different firewall (PaloAlto and Stormshield). My problem arises with the fact that Stormshield is not directly supported by SC4S, so the extracted fields are not CIM compliant.

More precisely, the field action should contain blocked or allowed as possible values, but it contains pass and block instead.

My question is how it would be the best way to implement this transformation.

I tried creating the following files in the path 

C:\Program Files\Splunk\etc\apps\splunk_httpinput\local

props.conf

[StormShield:StormShield]
TRANSFORMS = rewriteaction

transform.conf

[rewriteaction]
EVAL-action = case(action="pass", "allowed", action="block", "blocked" , 1=1, "UNKNOWN")

I restarted Splunk, but nothing really happened.

Any idea of what I am doing wrong? 

Many thanks.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 09:59 AM

This is something you typically do in the search-head layer. It has nothing to do with HEC.

And you're mixing different things here - EVAL-* entries belong directly in props.conf, not in transforms.conf stanza. And again - if you have a bigger environment than an all-in-one setup, this goes into the search-head tier.

View solution in original post

Reply
Solved! Jump to solution

corti77
Communicator
‎11-01-2023 04:13 AM

hi @PickleRick , yes, I am a bit confused about the philosophy behind all these files.

We have only one single server, so I guess it has to be configured there. You mentioned that has nothing to do with HEC, so where should I place the props.conf file? At /etc/system/local ?

cheers

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-01-2023 05:50 AM

While in an all-in-one scenario it might not be that important, it's useful to remember that you should avoid putting anything in etc/system/local.

Apart from that, you can put it "anywhere" - see how Splunk merges the separate files into effective config https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 09:59 AM

This is something you typically do in the search-head layer. It has nothing to do with HEC.

And you're mixing different things here - EVAL-* entries belong directly in props.conf, not in transforms.conf stanza. And again - if you have a bigger environment than an all-in-one setup, this goes into the search-head tier.

Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...