RHACS TA_stackrox parsing different field names from those existing in Splunk

Solution Verified - Updated -

Issue

  • The Technical Add-On for RHACS TA_stackrox parses a deploymentInfo.clusterName field but this field does not exist in the Splunk index receiving the logs. The existing field is deployment.clusterName
  • Logs received from RHACS in Splunk have fields that do not use "Info" as a suffix, and this does not match the fields parsed by TA_stackrox Add-On
  • The fields defined in the TA_stackrox do not correspond to those received by the RHACS solution
  • The TA_stackrox Add-On is unusable as is, because the expected fields deploymentInfo.*, networkFlowInfo.* , violationInfo.* , policyInfo.* do not exist in the data received (networkFlowInfo.*, violation{}) or are not correctly named (deployment.*, policy.*)

Environment

  • Red Hat Advanced Cluster Security for Kubernetes (RHACS)
    • 4
  • Official Splunk Technical Add-On for RHACS
    • splunk TA_stackrox 2.0.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content