Solved: Significant issues with props.conf in Splunk Add-o...

ckurtz · ‎01-02-2014

The sourcetype declarations in default/props.conf are severely flawed, and would make changes far outside the scope of the app if implemented as they are now.

Each sourcetype includes unacceptable wildcards (such as "everything ending in asa" and ("all tcp/udp inputs") that are very dangerous. Examples for the file:

[source::....asa]
sourcetype = cisco:asa
[source::tcp*]
TRANSFORMS-x = force_sourcetype_for_cisco_asa
[source::udp*]
TRANSFORMS-x = force_sourcetype_for_cisco_asa

At the very least, these should be commented out and have instructions on how to specify the user's own cisco asa sourcetype.

jbsplunk · ‎01-02-2014

Agreed, these issues have been reported to Splunk internally and will be evaluated for the next major release of this particular app. At this point, no ETA exists.

View solution in original post

jbsplunk · ‎01-02-2014

Agreed, these issues have been reported to Splunk internally and will be evaluated for the next major release of this particular app. At this point, no ETA exists.

Significant issues with props.conf in Splunk Add-on Cisco for ASA

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation