I just onboarded Checkpoint logs using the Splunk Add-on for Check Point OPSEC LEA, and most of the fields look OK except for a few ones which seem to swap the data between each other. Fields like **protocol**, **s_port**, or **service** do not have consistent values such as:
protocol: udp, tcp, icmp, 2, 89, 46
s_port: ntp-udp, nbname, 8978, 23384, http, 9809
service: http, 8612, TCP, SSL, UDP, DNS
Any idea how to fix it? It seems like there is some issue with field extraction.
↧