- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Palo Alto Networks App and Add-on for Splunk: Chan...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I am trying to filter out 'url' events from the Palo Alto Networks App and Add-on for Splunk because it is causing us to go over our license limit.
I have a transform that i put together in ./etc/apps/Splunk_TA_paloalto/default/props.conf :
[pan:threat]
SHOULD_LINEMERGE = false
# My addition below to Filter out URL Logs:
TRANSFORMS-urlfilter = urlfilter
and ./etc/apps/Splunk_TA_paloalto/default/transforms.conf
[urlfilter]
REGEX=^.*(THREAT,url,).*(informational).*$
DEST_KEY=queue
FORMAT=nullQueue
After making these changes, I restarted splunk.
Where do i see debugging information as to why this doesn't work?
Also, if you can see why it isn't working can you please share? 🙂
Lastly, is there an easier way to do this: the field that i am searching for is already extracted with this TA:
field: log_subtype
value i am trying to avoid indexing: 'url'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do something similar:
In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.
Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do something similar:
In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.
Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! that was it.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
