AnsweredAssumed Answered

ip.srcport is not parsing

Question asked by Devaraj Mohan on Apr 29, 2020
Latest reply on Apr 29, 2020 by Aaqib Shakeel

Hi Team,

We facing problem with ip.srcport metakey. It is not parsing proper. We have done below steps but still issue persist.

 

1) Changed value from Transient to "None" in table-map.xml in Log Decoder.

      <mapping envisionName="sport" nwName="ip.srcport" flags="None" format="UInt16" nullTokens="-|(null)|N/A" deprecated="1"/>

 

Restarted Log Decoder service

 

2) Added the below line in index-concentrator.xml after the destination port line.

 

  <key description="Destination Port" name="ip.dstport" format="UInt16" level="IndexValues" valueMax="65536" defaultAction="Closed"/>
<key description="IP Source Port" name="ip.srcport" format="UInt16" level="IndexValues" valueMax="65536" defaultAction="Closed"/>

 

 Restarted Concentrator Service.

 

 

After done all the steps still ip.srcport is not indexing and not showing in investigation tab. Please do needful.        

Outcomes