I configured a Grok-extractor for my checkpoint logs. What have I missed because I cannot search ip-addressses like I can from my Fortigate logs.
scrip:10.9.24.0/24 works when searching Fortigate logs but not when seaching the grok exctracted checkpoint fields (extracted with %{IP:srcip}). Both have the field scrip available when going through their individual streams.
Do I need to specify the checkpoint scrip-field somehow&somewhere as ip-address? or what?
Thanks in advace 
So your Extractor is just %{IP:srcip} to get the information out of the log messages via extractor? Is this working as it should? So did you see the field srcip when you expand the messages?
Is the field the same as with the fortigate logs? How did you process them? What is the difference?
My grok is way longer and all the wanted fields are shown when expanding message.
I see the field, and have now made a custom-template defining field as type “ip”. I also have manually rotated the write-active indices index sets for the changes to take effect. Still no luck (matches) with the correct search format, eg. 10.9.23.0/24.
found my “bug”…
Had forgotten to point the stream to the correct index… it was going to the all messages -index.
Problem solved, feeling ashamed.
glad that it was something simple - thank you for giving the reason for your problem to the community.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
