Skip to content
This repository was archived by the owner on Dec 14, 2024. It is now read-only.

Duplicate field names in extraction for pan:globalprotect #328

Open
Open
Duplicate field names in extraction for pan:globalprotect#328
Labels
bug
@cklubnes

Description

@cklubnes
cklubnes
opened on Apr 30, 2024

Describe the bug

In the FIELDS list in [extract_globalprotect] there are two fields named "serial_number"

Expected behavior

The first field is the correct "serial_number". But the second one, that is not extracted should probably be extracted as host_serial.

Current behavior

Currently the second field with same name as the first one is not extracted from the event.

Possible solution

Change the name of the second field in the FIELDS list in [extract_globalprotect] to host_serial. And make an FIELDALIAS til alias the host_serial to a field named serial to match the inventory datamodel.

Steps to reproduce

transforms.conf original
[extract_globalprotect] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","log_type","future_use2","version","time_generated","vsys","event_id","stage","auth_method","tunnel_type","src_user","src_region","machine_name","public_ip","public_ipv6","private_ip","private_ipv6","host_id","serial_number","client_ver","client_os","client_os_ver","repeat_count","reason","error","opaque","status","location","login_duration","connect_method","error_code","portal","sequence_number","action_flags","event_time","selection_type","response_time","priority","attempted_gateways","gateway","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id"

transforms.conf should be changed to:
[extract_globalprotect] DELIMS = "," FIELDS = "future_use1","receive_time","serial_number","log_type","future_use2","version","time_generated","vsys","event_id","stage","auth_method","tunnel_type","src_user","src_region","machine_name","public_ip","public_ipv6","private_ip","private_ipv6","host_id","host_serial","client_ver","client_os","client_os_ver","repeat_count","reason","error","opaque","status","location","login_duration","connect_method","error_code","portal","sequence_number","action_flags","event_time","selection_type","response_time","priority","attempted_gateways","gateway","devicegroup_level1","devicegroup_level2","devicegroup_level3","devicegroup_level4","vsys_name","dvc_name","vsys_id"

in props.conf a FIELDALIAS could/should be added:
[pan:globalprotect] ... FIELDALIAS-serial = host_serial as serial ...

Context

Your Environment

  • Version used: Splunk_TA_paloalto 8.1.1
  • Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Splunk Enterprise 9.1.2
  • Operating System and version (desktop or mobile): Ubuntu

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions