All Apps and Add-ons

Parsing ASA-5-304001: properly

Path Finder

I was getting some error messages about Splunk being unable to parse the timestamp. I tracked it down to %ASA-5-304001 because it contains multiple lines, and each line is treated as a separate line entry, and only the first line has the timestamp, therefore, no timestamp to parse.
Example of the event:

May 21 14:46:52 FWHOSTNAME : %ASA-5-304001: Accessed URL HTTP/1.1
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: image/webp,image/apng,image/,/*;q=0.8

Do I need to create a new transforms.conf entry so this specific event code is line merged? I'm using the Splunk Add-On for Cisco ASA in Splunk Cloud.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...