Getting Data In

problem filtering data

fahrenheit
New Member

Good morning,

I have a problem filtering data from UF.

The scenario:

UF --> Splunk indexer

configuration in UF:

inputs.conf

[default]

host = server1

[monitor:///home/user/prueba/]

disabled = false

index = firewall

sourcetype = cisco_asa

queue = parsingQueue


outputs.conf

[tcpout]

defaultGroup = splunk

[tcpout:splunk]

disabled = false

server = 1.1.1.1:22222

compressed = false

[tcpout-server://1.1.1.1:22222]


Configuration in splunk indexer

/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/props.conf

[splunktcp://:22222]

TRANSFORMS-set= setnull,setparsing


/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf

[setnull]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[setparsing]

REGEX = (ASA-4-113019|ASA-5-713120)

DEST_KEY = queue

FORMAT = indexQueue

I received all data and the data isn´t filtred

can you help?

thanks

Tags (2)
0 Karma
1 Solution

bjoernjensen
Contributor

Hi,

I just did some testing on this topic using the filtering at the UF.

A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:

inputs.conf:
[WinEventLog:Security]
disabled = 0

props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0

transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue

After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.

View solution in original post

0 Karma

fahrenheit
New Member

Hi,

now is working. I have changed

[splunktcp://:22222]

for

[cisco_asa]

thanks

0 Karma

fahrenheit
New Member

yes, i have restard splunk web service.

Can i filter in UF? i think that isn´t posible, only in heavy forwarder.

thanks

0 Karma

bjoernjensen
Contributor

Hi,

I just did some testing on this topic using the filtering at the UF.

A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:

inputs.conf:
[WinEventLog:Security]
disabled = 0

props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0

transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue

After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.

0 Karma

fahrenheit
New Member

if i send the logs from firewall to splunk the filter is ok, but if i send the logs by UF the filter not working

thanks

0 Karma

fahrenheit
New Member

I have configured props.conf and transforms.conf in UF and i receive alls events. I have restarted the service in UF

0 Karma

bjoernjensen
Contributor

I guess you did restart or ran "| extract reload=t" und Splunk Web respectively?

You could also do the filtering at the UF.

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...