Getting Data In

problem filtering data

fahrenheit
New Member

Good morning,

I have a problem filtering data from UF.

The scenario:

UF --> Splunk indexer

configuration in UF:

inputs.conf

[default]

host = server1

[monitor:///home/user/prueba/]

disabled = false

index = firewall

sourcetype = cisco_asa

queue = parsingQueue


outputs.conf

[tcpout]

defaultGroup = splunk

[tcpout:splunk]

disabled = false

server = 1.1.1.1:22222

compressed = false

[tcpout-server://1.1.1.1:22222]


Configuration in splunk indexer

/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/props.conf

[splunktcp://:22222]

TRANSFORMS-set= setnull,setparsing


/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf

[setnull]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[setparsing]

REGEX = (ASA-4-113019|ASA-5-713120)

DEST_KEY = queue

FORMAT = indexQueue

I received all data and the data isn´t filtred

can you help?

thanks

Tags (2)
0 Karma
1 Solution

bjoernjensen
Contributor

Hi,

I just did some testing on this topic using the filtering at the UF.

A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:

inputs.conf:
[WinEventLog:Security]
disabled = 0

props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0

transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue

After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.

View solution in original post

0 Karma

fahrenheit
New Member

Hi,

now is working. I have changed

[splunktcp://:22222]

for

[cisco_asa]

thanks

0 Karma

fahrenheit
New Member

yes, i have restard splunk web service.

Can i filter in UF? i think that isn´t posible, only in heavy forwarder.

thanks

0 Karma

bjoernjensen
Contributor

Hi,

I just did some testing on this topic using the filtering at the UF.

A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:

inputs.conf:
[WinEventLog:Security]
disabled = 0

props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0

transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue

After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.

0 Karma

fahrenheit
New Member

if i send the logs from firewall to splunk the filter is ok, but if i send the logs by UF the filter not working

thanks

0 Karma

fahrenheit
New Member

I have configured props.conf and transforms.conf in UF and i receive alls events. I have restarted the service in UF

0 Karma

bjoernjensen
Contributor

I guess you did restart or ran "| extract reload=t" und Splunk Web respectively?

You could also do the filtering at the UF.

0 Karma
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...