Hi,

Some guys form the checkpoint support check our system and showed us. They blame splunk but our logs comes different before splunk server reading. Then I couldnt wait anymore because case took more than 3 month and after countless meeting I would like to ask comminity. Im not sure about version,but possible we use latest version.if this information so critical just  let me now and then I can learn.

This guys said you can use session id for understanding but in same day We have 1 session id and 3 log uid that belongs this session id. Time doesnt match on splunk. Therefore I cant create report with this data on Splunk.

Thanks for your time,

On the Check Point side of things, we correlate multiple logs into a single session that can be viewed in SmartView.
It makes logical sense that we would communicate this to an external SIEM, thus why we have separate loguid and session id fields.
It is up to the external SIEM to correctly process this information.

The only possible "bug" I see is in the details behind this statement: "We faced situation that loguid and session id same on Cp CLI but while ı check log that comes form Cp on splunk server with tcpdump loguid and session id are different."
How exactly did you attempt to verify this via the CLI and what version/JHF were these commands executed on?
Screenshots (with sensitive details redacted) of both CLI and SmartView output of the relevant logs might help.

However, I don't believe the above is really relevant to the issue you're experiencing.
From your description of the situation, Log Exporter is operating as expected.
More details would need to be provided to prove otherwise.