Getting Data In

How to edit props and transforms to route data to an index based field?

martaBenedetti
Path Finder

Hi,

I'm trying to route data to a specific index based on a value in a field.

I have a series of data that look like this:

 

Mar  1 16:26:52 xxx.xxx.xxx.xxx Mar 01 2022 16:26:52 hostname : %FTD-6-113008: AAA transaction status ACCEPT : user = username
Mar  1 17:42:18 xxx.xxx.xxx.xxx Mar 01 2022 17:42:18 hostname  : %ASA-6-611101: User authentication succeeded: IP address: xxx.xxx.xxx.xxx, Uname: username

 

My props.conf on indexer looks like this:

 

[cisco:asa]
TRANSFORMS-01_index = force_index_asa_audit

 

My transforms.conf on indexer looks like this:

 

[force_index_asa_audit]
DEST_KEY = _MetaData:Index
REGEX =(?:ASA|FTD)-\d+-(?:113008|113012|113004|113005|611101|605005|713166|713167|713185|716038|716039|713198|502103|111008|111010)
FORMAT = asa_audit

 

But unfortunatly nothing happens.

I've tryed also using source in props.conf with no successful  result.

Do you have any idea?

Thank a lot

Marta

Labels (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Yes.  Your transform should be applied to the original sourcetype i.e. "cisco_asa" (props.conf change). 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Your regex/configuration looks good. Where are you keeping these configurations? If you use a heavy forwarder, it should be set on heavy forwarder. If data is sent directly from Universal forwarder to Index, set this on Indexer. Do remember to restart Splunk after making this configuration change. 

martaBenedetti
Path Finder

somesoni2 the configurations are kept on Heavy Forwarders, data ingestion is done through monitoring of files written by rsyslog.

On Heavy Forwarder is installed also the Splunk Add-On for Cisco ASA that performs a sourcetype rename (from cisco_asa to cisco:asa) : could this be the reason why the configurations are not working?

Thanks for your help

Marta

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes.  Your transform should be applied to the original sourcetype i.e. "cisco_asa" (props.conf change). 

0 Karma

martaBenedetti
Path Finder

Thanks a lot somesoni2, now is working fine!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...