I have Splunk for Cisco Firewalls app v2.0 installed. It is generating some warning messages in the logs: WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='ciscosyslog-src_dom_addr_port_2'; WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='ciscosyslog-dst_dom_addr_port_2'; and WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='product_static_IDS'. Are there any samples of stanzas (or example transforms.conf) for these transforms?
Looks like there is either two missing transforms in default/transforms.conf or the props.conf should be corrected not to call the two _2 transforms.
Namely: ciscosyslog-src_dom_addr_port_2, ciscosyslog-dst_dom_addr_port_2
Perhaps this was a copy/paste error by the developer. For now I'm going to simply remove the transform calls.
Looks like there is either two missing transforms in default/transforms.conf or the props.conf should be corrected not to call the two _2 transforms.
Namely: ciscosyslog-src_dom_addr_port_2, ciscosyslog-dst_dom_addr_port_2
Perhaps this was a copy/paste error by the developer. For now I'm going to simply remove the transform calls.
Of the three transforms, I did manage to "fix" two of them while working on a solution for my environment for this problem: http://splunk-base.splunk.com/answers/8006/cisco-app-pix-inbound-vs-outbound. I have not revisited the other to see if I want to just remove the transform call or find/create a transform to use.
Thanks.