https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429953#M174139 <P>I checked for those files (props and transforms) but did not find them here, would they be in some other spot?<BR /> /opt/splunk/etc/apps/Splunk_TA_f5-bigip/local # ls<BR /> app.conf indexes.conf</P> <P>The Splunk Add-on for F5 BIG-IP is installed on both the forwarder and indexer.</P> <P>Unfortunately, I cannot post events. I can try redacting or modifying them before I post...it'll take me a while. Thanks!</P> Tue, 29 Sep 2020 22:21:15 GMT juanlazarosanch 2020-09-29T22:21:15Z https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429951#M174137 <P>I installed the Splunk Add-on for F5 BIG-IP and defined the incoming as sourcetype f5:bigip:asm:syslog. Several (not all) events are getting merged into one event. Is there anything I can change to modify the sourcetype so that each event is a single event and not merged? Thanks!</P> Wed, 12 Dec 2018 19:14:39 GMT https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429951#M174137 juanlazarosanch 2018-12-12T19:14:39Z https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429952#M174138 <P>Did you check props and transforms in Splunk Add-on for F5 BIG-IP..??<BR /> Can you post a sample event here..??<BR /> Make sure you have that TA installed on a heavy forwarder or indexer.</P> Wed, 12 Dec 2018 19:34:56 GMT https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429952#M174138 prakash007 2018-12-12T19:34:56Z https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429953#M174139 <P>I checked for those files (props and transforms) but did not find them here, would they be in some other spot?<BR /> /opt/splunk/etc/apps/Splunk_TA_f5-bigip/local # ls<BR /> app.conf indexes.conf</P> <P>The Splunk Add-on for F5 BIG-IP is installed on both the forwarder and indexer.</P> <P>Unfortunately, I cannot post events. I can try redacting or modifying them before I post...it'll take me a while. Thanks!</P> Tue, 29 Sep 2020 22:21:15 GMT https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429953#M174139 juanlazarosanch 2020-09-29T22:21:15Z https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429954#M174140 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/207045">@juanlazarosanch</a>ez: <BR /> check it in /opt/splunk/etc/apps/Splunk_TA_f5-bigip/default...<BR /> when you say forwarder, is it a heavy forwarder or a universal forwarder..?? </P> Tue, 29 Sep 2020 22:21:21 GMT https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429954#M174140 prakash007 2020-09-29T22:21:21Z https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429955#M174141 <P>Heavy forwarder</P> <P>They were in the spot you used mentioned. I looked through them, but could not determine why the events were merging.</P> <P>I tried something different, I changed to sourcetype to access_common and now all the events are separated as they should be. I don't mind using access_common going forward unless there is another pre-trained sourcetype that would be more appropriate. </P> Tue, 29 Sep 2020 22:21:23 GMT https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429955#M174141 juanlazarosanch 2020-09-29T22:21:23Z https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429956#M174142 <P>@juanlazarosanchez : I wouldn't do that unless there is a specific reason, go through splunk docs for detailed configuration steps, there should be few other configs/extractions that are tied with default sourcetypes.<BR /> <A href="http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes">http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Sourcetypes</A></P> Thu, 13 Dec 2018 01:14:29 GMT https://community.splunk.com/t5/Splunk-Search/F5-ASM-events-are-being-merged-sourcetype-is-f5-bigip-asm-syslog/m-p/429956#M174142 prakash007 2018-12-13T01:14:29Z