Recently i download the "Splunk for F5 Access" app and installed into into my Splunk Box.
Whenever i restart the splunk process I see the following Configuration Warning
Checking filesystem compatibility... Done
Possible typo in stanza [firepass_log] in /home/splunk/etc/apps/firepass/default/props.conf, line 6: TRANSFORM = firepass-host There might be typos in your conf files. For more information, run 'splunk btool check --debug' Checking conf files for typos... Done
All preliminary checks passed.
Content of Props.conf:
[firepass_log] KV_MODE = none TIME_FORMAT = %b%d%H:%M:%S TRANSFORM = firepass_host REPORT-sid = firepass-host,firepass_term_host_prt,firepass_login_src,firepass_failed_valid,firepass_failed_invalid,firepass_sid_full,firepass_sid_full_condensed,firepass_sid,firepass_sid_kv,firepass_access_type,firepass_remote,firepass_intrusion,firepass_app_tunnel_remote_host,firepass_user_domain,firepass_logon_denied
[firepass_host] DEST_KEY = MetaData:Host REGEX = (\d+\.\d+.\d+.\d+) FORMAT = host::$1
Can someone please help me here to find whats the issue is ?
As you see it highlights the part where we have the error in the syntax.
Props.conf requires the Transform-
[firepass_log] KV_MODE = none TIME_FORMAT = %b%d%H:%M:%S TRANSFORMS-firepass = firepass_host
this should fix the error.