Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk for Cisco Firewalls App Strangeness.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk for Cisco Firewalls App Strangeness.
Folks,
I'm having a strange problem i've been unable to resolve. I'm running Splunk 4.2.4 in a distributed setup (1 x Search-Head & 1 x Indexer).
I've installed the Splunk for Cisco Firewalls app (on SH and Indexer) and i'm actually trying to troubleshoot a macro, but when i run the search manually it doesnt work, so the problem is not the macro.
Doing the following search (with the Splunk for Cisco Firewalls app installed and ASA data sourcetype'd as cisco_asa) returns no hits:
sourcetype=cisco_asa action=allowed
When sourcetype=cisco_asa returns results and in the field picker i can see the action field with a value of allowed in it (originating from ASA "Built" connections).
Even clicking on the value in the action field from the field picker returns no results whenever "action=allowed" is added to the search. I've tried double-quotes, single-quotes, as well..
I've checked permissions, the apps props.conf/transforms.conf (all defaults) of the Splunk Cisco Firewalls app, and everything seems fine.
If someone has some sample Cisco ASA data loaded and could test the above search i'd be interested to know if it works.
Or any thoughts to something i could try? I've run out of ideas 🙂
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[..posted as an answer as it wont fit as a comment :)...]
Hmm i've got a hunch the FORMAT specifier isnt accepting multiple fields:
[ciscosyslog-action-allowed]
REGEX = (Built|[pP]ermitted)
FORMAT = action::allowed actual_action::$1
Taken from $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/default/transforms.conf
When i search for 'sourcetype=cisco_asa actual_action=Built' it returns hits ok, but not for 'sourcetype=cisco_asa action=allowed'
I suspect the latter overrides the former in the FORMAT string. The strange thing is i've read transforms.conf.spec and it states:
* FORMAT for search-time extractions:
* The format of this field as used during search time extractions is as
follows:
* FORMAT = <field-name>::<field-value>( <field-name>::<field-value>)*
And it's definitely a search-time transform (from $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewall/default/props.conf):
[cisco_asa]
REPORT-asa = ...., ciscosyslog-action-allowed, ... etc
Starting to wonder if this is a bug.. Doing some more testing..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try making the app global when you are in the search app and re-run your test? Many of the macros and extractions are stored in the app and if you run a generic search outside the cisco apps, they may not work since the fields are not exposed in other apps. Go to manager/apps and set the permissions of the various cisco apps/addons and try again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - i am running in a user account with the admin role assigned, i've gone over the generic permissions but will look a little further.
I tried running under 'splunk start --diag' and am looking through the debug for clues at the moment.
The macro basically doesnt run because the underlying search doesnt work, so i'm debugging the search as a search at the moment, not as a macro (i'll be doing that next..)
Anyway, i'll dig in the permissions more and see what i find.
Thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
