Hi,

I'm a Splunk Administrator and trying to onboard a Checkpoint Quantum 1600 UTM Appliance. I've already managed to send Logs using syslog udp. But i am wondering about the format / content of some events. 

A anonymized the value's for some keys, but there's an example event below. I would like to disable the "Table" Section starting right after the "rule_name" key value since it doesnt look beneficial. I am also wondering, that the event somewhen ends with "...". Thats not caused by Splunk, since Truncating there would look different and also would occure on a predefined number of characters.

May 14 15:02:48 192.168.6.8 May 14 15:02:48 CP-SPARK-1600-2 Action="drop" resource="resource.com" inzone="Internal" outzone="External" service_id="AnyTCP" src="10.10.10.10" dst="10.10.10.10" proto="6" user="" src_user_name="" src_machine_name="" src_user_dn="" snid="" dst_user_name="" dst_machine_name="" dst_user_dn="" UP_match_table="TABLE_START" ROW_START="0" match_id="11111" layer_uuid="1111abcdefg" layer_name="Outgoing" rule_uid="" rule_name="CPEarlyDrop" ROW_END="0" UP_match_table="TABLE_END" UP_action_table="TABLE_START" ROW_START="0" action="2" ROW_END="0" ROW_START="1" action="2" ROW_END="1" ROW_START="2" action="2" ROW_END="2" ROW_START="3" action="2" ROW_END="3" ROW_START="4" action="2" ROW_END="4" ROW_START="5" action="2" ROW_END="5" ROW_START="6" action="2" ROW_END="6" ROW_START="7" action="2" ROW_END="7" ROW_START="8" action="2" ROW_END="8" ROW_START="9" action="2" ROW_END="9" ROW_START="10" action="2" ROW_END="10" ROW_START="11" action="2" ROW_END="11" ROW_START="12" action="2" ROW_END="12" ROW_START="13" action="2" ROW_END="13" ROW_START="14" action="2" ROW_END="14" ROW_START="15" action="2" ROW_END="15" ROW_START="16" action="2" ROW_END="16" ROW_START="17" action="2" ROW_END="17" ROW_START="18" action="2" ROW_END="18" ROW_START="19" action="2" ROW_END="19" ROW_START="20" action="2" ROW_END="20" ROW_START="21" action="2" ROW_END="21" ROW_START="22" action="2" ROW_END="22" ROW_START="23" action="2" ROW_END="23" ROW_START="24" action="2" ROW_END="24" ROW_START="25" action="2" ROW_END="25" ROW_START="26" action="2" ROW_END="26" ROW_START="27" action="2" ROW_END="27" ROW_START="28" action="2" ROW_END="28" ROW_START="29" action="2" ROW_END="29" ROW_START="30" action="2" ROW_END="30" ROW_START="31" action="2" ROW_END="31" ROW_START="32" action="2" ROW_END="32" ROW_START="33" action="2" ROW_END="33" ROW_START="34" action="2" ROW_END="34" ROW_START="35" action="2" ROW_END="35" ROW_START="36" action="2" ROW_END="36" ROW_START="37" action="2" ROW_END="37" ROW_START="38" action="2" ROW_END="38" ROW_START=...

Whats causing that a table is included within the event? And also, why isnt there any kind of Row description? Why does the Event is cut with "...".

thanks a lot for your answers!