All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splitting data into different sourcetypes

marka3721
Loves-to-Learn
‎07-18-2024 03:27 PM

Created the inputs in the local folder of the apps to use UDP on the heavy forwarder, set the sourcetype to f5:bigip:syslog, but the app is not splitting the data into multiple sourcetypes like it says it is supposed to. Can someone let me know what can be done to get this to work.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2024 10:50 PM

Hi @marka3721 ,

are you directly receiving f5 logs or is there an intermediate log collector?

if there's an intermediate log collector, that probably modifies the log format, search in app's props.conf and transforms.conf the regexed that apply the sourcetype override and check if your logs match these regexes.

if not, open a case to Splunk Support because this app is Splunk supported.

Ciao.

Giuseppe

0 Karma
Reply

marka3721
Loves-to-Learn
‎07-19-2024 06:59 AM

They are coming into the HF through syslog UDP port.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-27-2024 01:33 PM

1. And you have the add-on installed on the HF?

2. Have you configured your F5 to properly export the data (AFAIR there's a section in the docs describing required configuration which needs to be performed on the F5's side)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-20-2024 01:43 AM

Hi @marka3721 ,

in this case, check the regexes used in transformations:

take some log samples and put them in tegex101.com; then use this regex and see what it captures as group1

^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly)

if it captures the correct extension of the sourcetype it's correct, otherwise, modify it to adapt it to your different log format.

Only one final question: what's the sourcetype of your logs?

it should be fortigate_log or fgt_log, otherwise transformations aren't taken in consideration.

Ciao.

Giuseppe

0 Karma
Reply

marka3721
Loves-to-Learn
‎07-23-2024 11:01 AM

We have it set to f5:bigip:syslog

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-23-2024 11:25 PM

Hi @marka3721 ,

You are right! sorry I confused f5 with fortinet!
Anyway, take the transformation you find in the add-on transforms.conf and try it out.

the transformations to search and verify in transforms.conf are: f5_bigip-icontrol-locallb, f5_bigip-icontrol-globallb, f5_bigip-icontrol-networking, f5_bigip-icontrol-management, f5_bigip-icontrol-system-systeminfo, f5_bigip-icontrol-system-statistics, f5_bigip-icontrol-system-disk, f5_bigip-icontrol-management-device, f5_bigip-icontrol-networking-interfaces, f5_bigip-icontrol-networking-adminip, f5_bigip-icontrol-locallb-pool, f5_bigip-icontrol-management-usermanagement.

check if those regexes match your data or you need to modify them to adapt to your logs.

If you have to modify them, remember to copy the thansforms.conf file in the local folder before modifying it.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...