https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95153#M6488 <P>i notice this too but my data is from v8.2, must be an extraction issue in the base app?</P> Wed, 04 Apr 2012 18:12:06 GMT cvajs 2012-04-04T18:12:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95150#M6485 <P>In Security Suite under Firewall &gt; Overview search shows no results, viewing the Inspect shows search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip, host,log_level_desc,event_desc, _time</P> <P>If I remove each transform filter one at a time I find that neither log_level_desc or event_desc will return results, as if they do not exist in the indexed data. If I remove them both then results are displayed.</P> <P>Where do I start looking?</P> Mon, 28 Sep 2020 11:31:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95150#M6485 ahammond 2020-09-28T11:31:57Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95151#M6486 <P>if its newer ASA then maybe you need to fix the regex for this source type<BR /> see <A href="http://splunk-base.splunk.com/answers/42936/cisco-asa-logging-format-change">http://splunk-base.splunk.com/answers/42936/cisco-asa-logging-format-change</A></P> Sat, 17 Mar 2012 01:45:46 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95151#M6486 cvajs 2012-03-17T01:45:46Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95152#M6487 <P>My Sourcetype is 'cicso__asa' after fixing the regex, but in "Cisco Firewall overview" for example the field event_desc shows somethin like this: </P> <P>\"Deny protocol src [interface_<EM>name:source</EM><EM>address/source_port] dst interface</EM><STRONG>name:dest_address/dest_port [type {string}, code {code}] by access</STRONG><STRONG>group acl</STRONG>ID\"</P> <P>The other fields get extracted correctly. Perhaps someone has a hint?<BR /> Where ist the field event_desc defined? Can i manually edit it?<BR /> Thanks in advance</P> <P>Bpad</P> Mon, 28 Sep 2020 11:37:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95152#M6487 bpad 2020-09-28T11:37:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95153#M6488 <P>i notice this too but my data is from v8.2, must be an extraction issue in the base app?</P> Wed, 04 Apr 2012 18:12:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95153#M6488 cvajs 2012-04-04T18:12:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95154#M6489 <P>Mine is also v8.2. What Versions are other people using? This ASA plugin is great and i hope i someone can help to fix this?!</P> Thu, 05 Apr 2012 07:24:27 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-Firewall-Add-on-empty-results/m-p/95154#M6489 bpad 2012-04-05T07:24:27Z