Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using UDP 514 to get firewall syslog data, how do I edit props and transforms to filter out level=notice to nullQueue?

mack078
New Member
‎08-24-2015 08:03 PM

Example data:

Aug 25 10:48:58 172.20.10.253 date=2015-08-25,time=10:48:56,devname=FG300B3909604960,devid=FG300B3909604960,logid=0000000013,type=traffic,subtype=forward,level=notice,vd=root,srcip=172.20.11.64,srcport=56560,srcintf="port1",dstip=207.46.59.27,dstport=50007,dstintf="port7",sessionid=5529335,status=deny,policyid=0,dstcountry="UnitedStates",srccountry="Reserved",trandisp=noop,service=50007/tcp,proto=6,duration=0,sentbyte=0,rcvdbyte=0

I use add common line to props.conf

[source::udp:514]
TRANSFORMS-asa= firewall

and add transforms.conf too

[firewall]
REGEX=(?m)^level=notice
DEST_KEY=queue
FORMAT=nullQueue

but it still does not work. pls help me thanks

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-24-2015 08:39 PM

the ^ in your regex means you're looking for level=notice at the beginning of the string. In your case you have timestamp. Remove the ^
You can test you regex here: https://regex101.com

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

mack078
New Member
‎08-24-2015 11:36 PM

i try to delete ^ , and restart splunk service , but still not work ,

i use UDP 514 get firewall log , typ syslog , any one can help me ?

my source name i user : 300D

so how do i type in props.conf?
[300d::udp:514] ? OR [300d:udp:514] ?

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-26-2015 09:44 AM

where are you using these configs? indexer, universal forwarder or heavy forwarder?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...