Field | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | |
machine | str
| | | |
tag | str
| | | |
version | str
| | | |
server_date | str
| | | |
message_source | str
| | | |
action_name | str
| Code Block |
---|
action_prefix + action |
| action_prefix action | |
action | str
| | | |
srcIp | ip4
| Code Block |
---|
isnotnull(srcIp_tmp) ? srcIp_tmp : srcIp_aux |
| srcIp_aux srcIp_tmp | |
srcIp_str | str
| Code Block |
---|
isnotnull(srcIp_tmp_str) ? srcIp_tmp_str : srcIp_aux_str |
| srcIp_tmp_str srcIp_aux_str | |
srcPort | int4
| Code Block |
---|
isnotnull(srcPort_tmp) ? srcPort_tmp : srcPort_aux |
| srcPort_tmp srcPort_aux | |
dstIp | ip4
| Code Block |
---|
isnotnull(dstIp_tmp) ? dstIp_tmp : dstIp_aux |
| dstIp_aux dstIp_tmp | |
dstIp_str | str
| Code Block |
---|
isnotnull(dstIp_tmp_str) ? dstIp_tmp_str : dstIp_aux_str |
| dstIp_aux_str dstIp_tmp_str | |
dstPort | int4
| Code Block |
---|
isnotnull(dstPort_tmp) ? dstPort_tmp : dstPort_aux |
| dstPort_tmp dstPort_aux | |
service | str
| Code Block |
---|
isnotnull(service_tmp) ? service_tmp : service_aux |
| service_aux service_tmp | |
srcXIp | ip4
| | | |
srcXPort | int4
| | | |
dstXIp | ip4
| | | |
dstXPort | int4
| | | |
natConnetionTag | str
| | | |
srcNatRuleType | str
| Code Block |
---|
isnotnull(srcNatRuleType_tmp) ? srcNatRuleType_tmp : srcNatRuleType_aux |
| srcNatRuleType_aux srcNatRuleType_tmp | |
srcNatRule | str
| Code Block |
---|
isnotnull(srcNatRule_tmp) ? srcNatRule_tmp : srcNatRule_aux |
| srcNatRule_aux srcNatRule_tmp | |
dstNatRuleType | str
| Code Block |
---|
isnotnull(dstNatRuleType_tmp) ? dstNatRuleType_tmp : dstNatRuleType_aux |
| dstNatRuleType_tmp dstNatRuleType_aux | |
dstNatRule | str
| Code Block |
---|
isnotnull(dstNatRule_tmp) ? dstNatRule_tmp : dstNatRule_aux |
| dstNatRule_tmp dstNatRule_aux | |
srcNatIp | ip4
| | | |
dstNatIp | ip4
| | | |
proto | int4
| Code Block |
---|
isnotnull(proto_tmp) ? proto_tmp : proto_aux |
| proto_aux proto_tmp | |
protoStr | str
| Code Block |
---|
(proto = 6) ? "TCP" : (proto = 17) ? "UDP" : (proto = 1) ? "ICMP" : null("") |
| proto | |
policy | str
| Code Block |
---|
isnotnull(policy_tmp) ? policy_tmp : policy_aux |
| policy_aux policy_tmp | |
srcZone | str
| Code Block |
---|
isnotnull(srcZone_tmp) ? srcZone_tmp : srcZone_aux |
| srcZone_tmp srcZone_aux | |
dstZone | str
| Code Block |
---|
isnotnull(dstZone_tmp) ? dstZone_tmp : dstZone_aux |
| dstZone_aux dstZone_tmp | |
session | int4
| Code Block |
---|
isnotnull(session_tmp) ? session_tmp : session_aux |
| session_tmp session_aux | |
reason | str
| Code Block |
---|
isnotnull(reason_tmp) ? reason_tmp : reason_aux |
| reason_aux reason_tmp | |
cliPkts | int4
| Code Block |
---|
isnotnull(cliPkts_tmp) ? cliPkts_tmp : cliPkts_aux |
| cliPkts_tmp cliPkts_aux | |
cliBytes | int8
| Code Block |
---|
isnotnull(cliBytes_tmp) ? cliBytes_tmp : cliBytes_aux |
| cliBytes_aux cliBytes_tmp | |
srvPkts | int4
| Code Block |
---|
isnotnull(srvPkts_tmp) ? srvPkts_tmp : srvPkts_aux |
| srvPkts_tmp srvPkts_aux | |
srvBytes | int8
| Code Block |
---|
isnotnull(srvBytes_tmp) ? srvBytes_tmp : srvBytes_aux |
| srvBytes_tmp srvBytes_aux | |
duration | int4
| Code Block |
---|
isnotnull(duration_tmp) ? duration_tmp : duration_aux |
| duration_aux duration_tmp | |
app | str
| Code Block |
---|
isnotnull(app_tmp) ? app_tmp : app_aux |
| app_aux app_tmp | |
app2 | str
| Code Block |
---|
isnotnull(app2_tmp) ? app2_tmp : app2_aux |
| app2_aux app2_tmp | |
user | str
| Code Block |
---|
isnotnull(user_tmp) ? user_tmp : user_aux |
| user_tmp user_aux | |
roles | str
| Code Block |
---|
isnotnull(roles_tmp) ? roles_tmp : roles_aux |
| roles_aux roles_tmp | |
iface | str
| Code Block |
---|
isnotnull(iface_tmp) ? iface_tmp : iface_aux |
| iface_aux iface_tmp | |
icmpType | int4
| Code Block |
---|
isnotnull(icmpType_tmp) ? icmpType_tmp : icmpType_aux |
| icmpType_tmp icmpType_aux | |
structuredData | str
| | | |
encrypted | str
| Code Block |
---|
isnotnull(encrypted_tmp) ? encrypted_tmp : encrypted_aux |
| encrypted_tmp encrypted_aux | |
connectionTag | str
| | | |
unknown | str
| | | ✓ |
rawMessage | str
| | | ✓ |
hostchain | str
| | | ✓ |