One of the fields in the Email CIM is action. From the Proofpoint-On-Demand pps_messagelog I want to change final_action to action. I've tried using the below in TA-pps_ondemand/local/props.conf
FIELDALIAS-pod_final_action = final_action AS action
and
EVAL-action = final_action
The field alias didn't do anything. The eval caused an error when I tried to deploy. The version of Splunk is 7.2.5.1 installed on-site. Frankly I'm baffled by this one. Either works if I have it in the SPL in search. Any suggestions?
TIA,
Joe
↧