Hello!
Using the props.conf with no modifications, the field aliases for sourcetype hx_cef_syslog are not working.
For example, the field in my event:
dmac = 00:22:44:66:88:aa
Yet defined in props.conf under the [hx_cef_syslog] stanza is:
FIELDALIAS-src_mac_for_fireeye = dmac as **src_mac**
Another example which fails to work: `FIELDALIAS-src_for_fireeye = dst as src` - this has no effect on the fields in events returned at search-time. Commenting out the lines has no effect either.
App is installed on both search head and indexers, regex extractions look to be working ok, it's just field aliases which are failing
Thanks.
↧