Hi,
I am trying to add new evaluation for a field in search-time.
For some reason, when I run query from my search head, I get the old values and it seems that the props.conf is not working.
Here is my configuration:
EVAL-action = if(isnull(action), action, if(eventtype == "Intrusion_Detection", if(action IN ("Accept", "Detect", "Allow"),"allowed", "blocked"),action))
If i copy the above line to the search bar, it works OK.
What am I missing here?
↧