Hi there,
I am trying to filter out 'url' events from the Palo Alto Networks App and Add-on for Splunk because it is causing us to go over our license limit.
I have a transform that i put together in ./etc/apps/Splunk_TA_paloalto/default/props.conf
:
[pan:threat]
SHOULD_LINEMERGE = false
# My addition below to Filter out URL Logs:
TRANSFORMS-urlfilter = urlfilter
and ./etc/apps/Splunk_TA_paloalto/default/transforms.conf
[urlfilter]
REGEX=^.*(THREAT,url,).*(informational).*$
DEST_KEY=queue
FORMAT=nullQueue
After making these changes, I restarted splunk.
Where do i see debugging information as to why this doesn't work?
Also, if you can see why it isn't working can you please share? 🙂
Lastly, is there an easier way to do this: the field that i am searching for is already extracted with this TA:
field: log_subtype
value i am trying to avoid indexing: 'url'
We do something similar:
In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.
Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.
We do something similar:
In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.
Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.
Thanks! that was it.