All Apps and Add-ons

Palo Alto Networks App and Add-on for Splunk: Changes in transforms.conf are not working, how do I troubleshoot?

zhatsispgx
Path Finder

Hi there,

I am trying to filter out 'url' events from the Palo Alto Networks App and Add-on for Splunk because it is causing us to go over our license limit.

I have a transform that i put together in ./etc/apps/Splunk_TA_paloalto/default/props.conf :

[pan:threat]
SHOULD_LINEMERGE = false
# My addition below to Filter out URL Logs:
TRANSFORMS-urlfilter = urlfilter

and ./etc/apps/Splunk_TA_paloalto/default/transforms.conf

[urlfilter] 
REGEX=^.*(THREAT,url,).*(informational).*$
DEST_KEY=queue
FORMAT=nullQueue

After making these changes, I restarted splunk.

Where do i see debugging information as to why this doesn't work?

Also, if you can see why it isn't working can you please share? 🙂

Lastly, is there an easier way to do this: the field that i am searching for is already extracted with this TA:

field: log_subtype
value i am trying to avoid indexing: 'url'

0 Karma
1 Solution

niemesrw
Path Finder

We do something similar:

https://answers.splunk.com/answers/475294/palo-alto-networks-app-for-splunk-is-it-possible-t-1.html#...

In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.

Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.

View solution in original post

niemesrw
Path Finder

We do something similar:

https://answers.splunk.com/answers/475294/palo-alto-networks-app-for-splunk-is-it-possible-t-1.html#...

In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.

Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.

zhatsispgx
Path Finder

Thanks! that was it.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...