All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

regex in Splunk_TA_juniper not matching logs

mirkokorn
Explorer
‎10-26-2018 12:33 AM

Hi there,

I'm currently onboarding juniper srx firewall data with the Splunk_TA_juniper. Unfortunately the format in the app does not match the logs produced by our devices.

For example the app does contain the following in transforms.conf:
[force_sourcetype_for_junos_firewall]
DEST_KEY = MetaData:Sourcetype
REGEX = \s+RT_FLOW:|\s+RT_IDS:
FORMAT = sourcetype::juniper:junos:firewall

Our logs look like this:
<Timestamp> <Hostname> RT_FLOW <Message>

So in our logs there is no colon after RT_FLOW. Is this a known problem with SRX firewalls in combination with the TA? I just wanted to make sure that there is no simple way around this before I go and rewrite all the regex to match our logs.

Thanks in advance.

Reply

mirkokorn
Explorer
‎11-04-2018 05:57 AM

Already found the answer, but just wanted to share in case anybody else runs into this problem.

We had the structured-data format enabled. Therefore the format didn't match the expectations of the app. Turned the option off and the app worked fine.

Reply

DBattisto
Communicator
‎02-28-2019 06:17 AM

I'm not a Juniper guy, so I had to look this up. Here's a good link:

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/syslog-message-structure...

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...