Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk log filtering via Splunk Heavy forwarder

Sayanta_Basak_I
Explorer
‎08-10-2017 06:40 AM

Hello,

I have the the logs coming from our IPS coming in below format:

Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, IngressZone: Default-VRF-location, EgressZone: Prod-location DE: Primary Detection Engine (7eaa2610-2c9a-11e7-a3ec-f9112474357f), Policy: LO-Access-Policy, ConnectType: End, AccessControlRuleName: DefaultVRF to DCLAN, AccessControlRuleAction: Allow, Prefilter Policy: Unknown, UserName: No Authentication Required, InitiatorPackets: 3, ResponderPackets: 2, InitiatorBytes: 234, ResponderBytes: 136, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown

If I want to filter the events and pick only below information via a Heavy Forwarder will Splunk allow me to do that?

Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, ConnectType: End, AccessControlRuleAction: Allow, UserName: No Authentication Required

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-10-2017 11:21 AM

Side comment: If you don't already have a heavy forwarder in your environment, don't introduce one just to do the filtering unless you ensure you are not creating a bottleneck.
You can filter unwanted things on the indexer directly and filtered stuff does not count against your license.

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-10-2017 10:05 AM

Use props and transforms on the heavy forwarder.

Props.conf

[sourcetype/source/etc]
TRANSFORM-trim_event = trim_event

Transforms.conf

[trim_event]
DEST_KEY = _raw
REGEX = (.*UserName: .+?),
FORMAT = $1

You might have to adjust the regex based on your needs. I am not a regex wizard but base on your sample event that would capture what you want.

0 Karma
Reply

Sayanta_Basak_I
Explorer
‎08-14-2017 02:18 AM

Hello @mdsnmss

Thank you for your response. I am trying to understand how this might work before implementing it. Since your regex just includes username, does this mean only username info will be retained and I have to make similar comma separated inputs to onboard other infos. My requirement is to convert the source log dump to something limited as below

Connection logs:
Aug 10 08:54:44 HOST SFIMS: Protocol: TCP, SrcIP: 10.1.1.1, OriginalClientIP: ::, DstIP: 10.2.2., SrcPort: 58457, DstPort: 80, TCPFlags: 0x0, IngressInterface: Default-VRF, EgressInterface: Prod, ConnectType: End, AccessControlRuleAction: Allow, UserName: No Authentication Required

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎08-14-2017 05:38 AM

The way the regex works is it will capture everything between (). You can test by using something like https://regex101.com/. The capture group is setup with .* before username which means capture everything up to Username. Once it sees username it will continue to capture everything up until the next comma. So if all of your events are formatted the same as your original it should capture what you are looking for. There are probably better ways to create the capture group since I'm am not a regex expert. I'd welcome anyone else's input on the regex.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...