Getting Data In
Highlighted

problem filtering data

New Member

Good morning,

I have a problem filtering data from UF.

The scenario:

UF --> Splunk indexer

configuration in UF:

inputs.conf

[default]

host = server1

[monitor:///home/user/prueba/]

disabled = false

index = firewall

sourcetype = cisco_asa

queue = parsingQueue


outputs.conf

[tcpout]

defaultGroup = splunk

[tcpout:splunk]

disabled = false

server = 1.1.1.1:22222

compressed = false

[tcpout-server://1.1.1.1:22222]


Configuration in splunk indexer

/opt/splunk/etc/apps/SplunkforCiscoASA/local/props.conf

[splunktcp://:22222]

TRANSFORMS-set= setnull,setparsing


/opt/splunk/etc/apps/SplunkforCiscoASA/local/transforms.conf

[setnull]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[setparsing]

REGEX = (ASA-4-113019|ASA-5-713120)

DEST_KEY = queue

FORMAT = indexQueue

I received all data and the data isn´t filtred

can you help?

thanks

Tags (2)
0 Karma
Highlighted

Re: problem filtering data

Contributor

I guess you did restart or ran "| extract reload=t" und Splunk Web respectively?

You could also do the filtering at the UF.

0 Karma
Highlighted

Re: problem filtering data

Contributor

Hi,

I just did some testing on this topic using the filtering at the UF.

A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:

inputs.conf:
[WinEventLog:Security]
disabled = 0

props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0

transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue

After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.

View solution in original post

0 Karma
Highlighted

Re: problem filtering data

New Member

I have configured props.conf and transforms.conf in UF and i receive alls events. I have restarted the service in UF

0 Karma
Highlighted

Re: problem filtering data

New Member

if i send the logs from firewall to splunk the filter is ok, but if i send the logs by UF the filter not working

thanks

0 Karma
Highlighted

Re: problem filtering data

New Member

yes, i have restard splunk web service.

Can i filter in UF? i think that isn´t posible, only in heavy forwarder.

thanks

0 Karma
Highlighted

Re: problem filtering data

New Member

Hi,

now is working. I have changed

[splunktcp://:22222]

for

[cisco_asa]

thanks

0 Karma