All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing ASA-5-304001: properly

jcooperFossil
Path Finder
‎05-21-2018 01:03 PM

I was getting some error messages about Splunk being unable to parse the timestamp. I tracked it down to %ASA-5-304001 because it contains multiple lines, and each line is treated as a separate line entry, and only the first line has the timestamp, therefore, no timestamp to parse.
Example of the event:

May 21 14:46:52 FWHOSTNAME : %ASA-5-304001: 192.168.20.59 Accessed URL 52.94.232.32:http://52.94.232.32/x/ae12848777b41970a5f2 HTTP/1.1
Host: s.amazon-adsystem.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: image/webp,image/apng,image/,/*;q=0.8
Referer: http://gslbeacon.lijit.com/beacon

Do I need to create a new transforms.conf entry so this specific event code is line merged? I'm using the Splunk Add-On for Cisco ASA in Splunk Cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...