Referencing field values in postfilter parser

[rucete]

Hi,

I'm trying to implement a block parser for for fortigate events. Pretty straightforward:

block parser fortinet_fortios_logid-postfilter() {
channel {
    rewrite(r_set_dest_splunk_null_queue);
    };
};

application fortinet_fortios[sc4s-postfilter] {
filter {
    "${fields.sc4s_vendor}" eq "fortinet" and
    "${fields.sc4s_product}" eq "fortios" and
    "${.values.action}" eq "allowed";
    };      
    parser { fortinet_fortios_logid-postfilter(); };
};

The thing is I cannot seem to find documentation on how to correctly reference this value:

"${.values.action}" eq "allowed";

I'm just trying to filter out allowed traffic. I know the rest of the parser works because without that ".values.action" line, it drops all events. No errors are reported in the sc4s logs.

I'm not just looking to resolve this issue, but a link to the documentation where this is explained (besides SC4S's docs on github, which I've read) is also appreciated.

Thank you.

[rjha-splunk]

The fields are not available to sc4s to filter , the main fields to filter is usually start with sc4s_* fields , Best will using regexes based on MATCH() and MESSAGE()

https://syslog-ng.github.io/admin-guide/110_Template_and_rewrite/001_Modifying_messages/008_Custom_SDATA_fields

https://axoflow.com/docs/axosyslog-core/chapter-parsers/sdata-parser/_print/?highlight=sdata#prefix

Official document to read about what is implemented.

[cwadhwani-splunk]

@rucete Since we have not heard back, I am closing this issue. Feel free to reopen or create a new issue if you have further queries.