I have a CEF input setup on Graylog, which handles logs that are sent from a ForcePoint SMC. The ForcePoint SMC gathers logs from different ForcePoint Forewall devices, then forwards them in CEF format to Graylog. The input works fine, and parses Firewalls logs correctly into different fields.
I also have many other inputs, collecting logs from various Firewall models (ASA, Fortinet, etc.), which I am parsing via a mix of Grok and RegEx extractors.
One of the interresting fields that I have from the Firewall logs is “dpt”, short for destination port. This is currently being parsed as a “long” type field by the CEF input, and as “string” field by all other inputs. The consequence of this is that I am unable to “Show top values” on this particular field, as can be seen in the following screenshots :
How can I resolve this ? Is it possible to force the CEF input to use “string” as a field type for the field ?