Splunk Search
Highlighted

Using UDP 514 to get firewall syslog data, how do I edit props and transforms to filter out level=notice to nullQueue?

New Member

Example data:

Aug 25 10:48:58 172.20.10.253 date=2015-08-25,time=10:48:56,devname=FG300B3909604960,devid=FG300B3909604960,logid=0000000013,type=traffic,subtype=forward,level=notice,vd=root,srcip=172.20.11.64,srcport=56560,srcintf="port1",dstip=207.46.59.27,dstport=50007,dstintf="port7",sessionid=5529335,status=deny,policyid=0,dstcountry="UnitedStates",srccountry="Reserved",trandisp=noop,service=50007/tcp,proto=6,duration=0,sentbyte=0,rcvdbyte=0

I use add common line to props.conf

[source::udp:514]
TRANSFORMS-asa= firewall

and add transforms.conf too

[firewall]
REGEX=(?m)^level=notice
DEST_KEY=queue
FORMAT=nullQueue

but it still does not work. pls help me thanks

0 Karma
Highlighted

Re: Using UDP 514 to get firewall syslog data, how do I edit props and transforms to filter out level=notice to nullQueue?

Motivator

the ^ in your regex means you're looking for level=notice at the beginning of the string. In your case you have timestamp. Remove the ^
You can test you regex here: https://regex101.com

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma
Highlighted

Re: Using UDP 514 to get firewall syslog data, how do I edit props and transforms to filter out level=notice to nullQueue?

New Member

i try to delete ^ , and restart splunk service , but still not work ,

i use UDP 514 get firewall log , typ syslog , any one can help me ?

my source name i user : 300D

so how do i type in props.conf?
[300d::udp:514] ? OR [300d:udp:514] ?

0 Karma
Highlighted

Re: Using UDP 514 to get firewall syslog data, how do I edit props and transforms to filter out level=notice to nullQueue?

Motivator

where are you using these configs? indexer, universal forwarder or heavy forwarder?

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma