This seems to be a common and easy problem to resolve, but I can't seem to get to the right answer.
Recently I installed the "Splunk Add-on for Cisco ASA" in my environment's indexers and search heads. Data from several syslog sources is received by my universal forwarder and sent over to my indexers.
The ASA data is coming in as sourcetype syslog. The add-on's default props.conf and transforms.conf take care of renaming the sourcetype to cisco:asa.
This is the relevant section of the add-on's default props.conf file:
[syslog]
TRANSFORMS-force_sourcetype_for_cisco = force_sourcetype_for_cisco_asa,force_sourcetype_for_cisco_pix,force_sourcetype_
for_cisco_fwsm
[cisco:asa]
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 30
SHOULD_LINEMERGE = false
KV_MODE = auto
Relevant section of the default transforms.conf file:
[force_sourcetype_for_cisco_asa]
DEST_KEY = MetaData:Sourcetype
REGEX = %ASA-\d-\d{6}
FORMAT = sourcetype::cisco:asa
The configuration shown above works fine. However, when I apply filtering of events I do not want in the local files, they do not work.
Local props.conf file:
[cisco:asa]
TRANSFORMS-ASA_filters= removeDNS
Local transforms.conf file:
[removeDNS]
REGEX = [/(]53[)\s]
DEST_KEY = queue
FORMAT = nullQueue
I have used configurations similar to these before. I just can't explain why the filtering does not happen. I can only think the sourcetype is still syslog when the filter needs to be applied.
Any help on this issue will be extremely appreciated.
Regards,
Frunkster
... View more