Values of accumulative fields in Splunk are different from those in SmartConsole
Check Point log files have a maximum size of 2GB. When the maximum is reached, a log switch process occurs, which closes the open log file and creates a new one.
Check Point Gateways generate logs based on the inspected traffic. The first generated log of a specific event is the base log. After the base log is generated, Gateways can generate updates for the base log which contain updated data. Update logs contain only the delta, meaning only fields that have values different from the values that were sent in the previous log records.
Most of the time, the entire log chain (base logs and updates) is written to the same log file, but there might be cases where update logs are stored in a different file, resulting in a log chain spread over more than one log file.
When a user defines a Log Exporter to export logs in semi-unified mode, Log Exporter needs to unify log values based on a unification scheme. The unification scheme defines which rules should apply to every log field (use last value, run add function, etc.) before exporting it.
For accumulative fields, the relevant rule is 'add_value'.
Since the unification is done on every log file separately, the results of 'add_value' are incorrect.