Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate field names in extraction for pan:globalprotect #328

Open
cklubnes opened this issue Apr 30, 2024 · 0 comments
Open

Duplicate field names in extraction for pan:globalprotect #328

cklubnes opened this issue Apr 30, 2024 · 0 comments
Labels
bug

Comments

@cklubnes
Copy link

Describe the bug

In the FIELDS list in [extract_globalprotect] there are two fields named "serial_number"

Expected behavior

The first field is the correct "serial_number". But the second one, that is not extracted should probably be extracted as host_serial.

Current behavior

Currently the second field with same name as the first one is not extracted from the event.

Possible solution

Change the name of the second field in the FIELDS list in [extract_globalprotect] to host_serial. And make an FIELDALIAS til alias the host_serial to a field named serial to match the inventory datamodel.

Steps to reproduce

transforms.conf original
[extract_globalprotect] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","log_type","future_use2","version","time_generated","vsys","event_id","stage","auth_method","tunnel_type","src_user","src_region","machine_name","public_ip","public_ipv6","private_ip","private_ipv6","host_id","serial_number","client_ver","client_os","client_os_ver","repeat_count","reason","error","opaque","status","location","login_duration","connect_method","error_code","portal","sequence_number","action_flags","event_time","selection_type","response_time","priority","attempted_gateways","gateway","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id"

transforms.conf should be changed to:
[extract_globalprotect] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","log_type","future_use2","version","time_generated","vsys","event_id","stage","auth_method","tunnel_type","src_user","src_region","machine_name","public_ip","public_ipv6","private_ip","private_ipv6","host_id","host_serial","client_ver","client_os","client_os_ver","repeat_count","reason","error","opaque","status","location","login_duration","connect_method","error_code","portal","sequence_number","action_flags","event_time","selection_type","response_time","priority","attempted_gateways","gateway","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id"

in props.conf a FIELDALIAS could/should be added:
[pan:globalprotect] ... FIELDALIAS-serial = host_serial as serial ...

Context

Your Environment

  • Version used: Splunk_TA_paloalto 8.1.1
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Splunk Enterprise 9.1.2
  • Operating System and version (desktop or mobile): Ubuntu
@cklubnes cklubnes added the bug label Apr 30, 2024
@cklubnes cklubnes changed the title Duplcate field names in extraction for pan:globalprotect Duplicate field names in extraction for pan:globalprotect Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cklubnes