Solved: Parsing Issue

rbonfadini · ‎04-04-2018

I have the 6.0.2 TA deployed per the instructions.

I'm receiving parsed logs for pan:threat, config, traffic, and system. I'm still receiving pan:log, which I believe should be parsing out to pan:hipmatch.

What may be the issue where some, but not all sourcetypes are being parsed out correctly?

splunker12er · ‎04-04-2018

Check your TA props.conf - stanza TRANSFORMS-sourcetype has config for pan_hipmatch and in your transforms.conf you can verify the stanza [pan_hipmatch] and confirm the REGEX that would need to match your log source - if there it should route the log source to this particular sourcetype and parse accordingly..

View solution in original post

splunker12er · ‎04-04-2018

Check your TA props.conf - stanza TRANSFORMS-sourcetype has config for pan_hipmatch and in your transforms.conf you can verify the stanza [pan_hipmatch] and confirm the REGEX that would need to match your log source - if there it should route the log source to this particular sourcetype and parse accordingly..

rbonfadini · ‎04-05-2018

You were correct. OOTB transforms.conf regex for hipmatch wasn't lining up with our log output. Had to tweak the regex. Thank you.

Parsing Issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation