I noticed some inconsistencies in normalization for decoding "protocol" from logs, especially with networking logs.
The majority of decoders associate "protocol" with the literal "protocol" field. Other decoders (specifically fortigate, sonicwall, and others) decode the protocol into the "proto" field.
For normalization, is it appropriate to modify the decoder fields for consistency among other decoders?
I have applied this change to a local decoder and verified the field is corrected.
Hi all!
I noticed some inconsistencies in normalization for decoding "protocol" from logs, especially with networking logs.
The majority of decoders associate "protocol" with the literal "protocol" field. Other decoders (specifically fortigate, sonicwall, and others) decode the protocol into the "proto" field.
For normalization, is it appropriate to modify the decoder fields for consistency among other decoders?
I have applied this change to a local decoder and verified the field is corrected.
Github filter search for "proto": Proto Search
Github filter search for "protocol": Protocol Search