Broken field alias for src in sourcetype=pan:firewall_cloud

[cramasta]

For the sourcetype=pan:firewall_cloud the src field does not appear in the list of fields.

The data format is JSON so Splunk automatically extracts the field named SourceAddress

The TA then has two field aliases settings in props.conf that operate in this order

1. FIELDALIAS-fwcloud_src = SourceAddress as src <- this creates the src field alias

2. FIELDALIAS-src_for_pan_cloud = src_ip as src <-this tries to create a field alias of src from the src_ip field, but src_ip field does not exist. Since it doesn't exist and the default setting for a field alias is to overwrite the alias value this causes splunk to REMOVE the src field

3. EVAL-src_ip = coalesce(SourceAddress, PublicIPv4) < - we than have this eval to create a field called src_ip by coalescing two other fields together. BUT hey didnt you say in step 2 that src_ip didnt exist?! Thats correct because EVAL's occur AFTER FIELDALIAS so at the time the field aliases operated it src_ip did not exist at that time.

My guess is that the field aliases worked previously and did what was intended prior to a update in Splunk 7.2.4 in how field alias's work. Prior to 7.2.4 Splunk would have NOT removed the field alias in step 2 even though scr_ip didnt exist.

more here on the field alias change
https://docs.splunk.com/Documentation/Splunk/8.2.2/ReleaseNotes/Fieldaliasbehaviorchange#:~:text=4%2B%20of%20Splunk%20Enterprise%2C%20the,events%20that%20contain%20that%20field.

Im not sure what the intent was for creating the src field so I dont want to suggest what the proper fix is as there are many ways one could go about fixing this. However a quick fix to at least get step 1's alias working is to uncheck the OVERWRITE Values setting in the FIELDALIAS-src_for_pan_cloud config

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[jacobappleton-orbis]

Thanks @cramasta - I just ran into the same issue and this helped.