I was getting some error messages about Splunk being unable to parse the timestamp. I tracked it down to %ASA-5-304001 because it contains multiple lines, and each line is treated as a separate line entry, and only the first line has the timestamp, therefore, no timestamp to parse.
Example of the event:
May 21 14:46:52 FWHOSTNAME : %ASA-5-304001: 192.168.20.59 Accessed URL 52.94.232.32:http://52.94.232.32/x/ae12848777b41970a5f2 HTTP/1.1
Host: s.amazon-adsystem.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: image/webp,image/apng,image/,/*;q=0.8
Referer: http://gslbeacon.lijit.com/beacon
Do I need to create a new transforms.conf entry so this specific event code is line merged? I'm using the Splunk Add-On for Cisco ASA in Splunk Cloud.