×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
fabiyogo
Explorer
Member since: ‎03-24-2023
‎10-01-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎03-24-2023
Activity Feed
View All

Re: Need help filtering Sourcetype

by in Monitoring Splunk
‎09-30-2024 03:32 AM
‎09-30-2024 03:32 AM
because each log with a different severity level has a different log, therefore to make it easier to parse the fields, I want to differentiate using sourcetype. good for the add-on I will try to use it, and for the actual writing format I have written by using capital / uppercase letters according to the doc. ... View more

Re: Need help filtering Sourcetype

by in Monitoring Splunk
‎09-30-2024 03:32 AM
‎09-30-2024 03:32 AM
because each log with a different severity level has a different log, therefore to make it easier to parse the fields, I want to differentiate using sourctype. good for the add-on I will try to use it, and for the actual writing format I have written by using capital / uppercase letters according to the doc. ... View more

Need help filtering Sourcetype

by in Monitoring Splunk
‎09-30-2024 01:49 AM
‎09-30-2024 01:49 AM
Hey Guys, I have a input that is monitoring a log from syslog. In this file theres data of multiple severity, its bad, but I was thinking I could use a transform to set sourcetype in props that I could use to format data. So I did this in inputs.conf: [udp://x.x.x.x:5514] index=cisco_asa sourcetype=cisco_firewall disabled=false and this logs from cisco asa Sep 20 15:36:41 10.10.108.122 %ASA-4-106023: Deny tcp src inside:x.x.x.x/xxxx dst outside:x.x.x.x/xxxx by access-group "Inside_access_in" [0x51fd3ce2, 0x0] Sep 20 15:36:37 10.10.108.122 %ASA-5-746015: user-identity: [FQDN] go.microsoft.com resolved x.x.x.x Sep 20 15:36:37 10.10.108.122 %ASA-6-302021: Teardown ICMP connection for faddr x.x.x.x/x gaddr x.x.x.x/x laddr x.x.x.x/x type 8 code 0 then I created a transforms.conf [set_log_type_critical] source_key = _raw regex = .*%ASA-4 dest_key=MetaData:Sourcetype format=sourcetype::cisco:firewall:alert [set_log_type_error] source_key = _raw regex = .*%ASA-5 dest_key=MetaData:Sourcetype format=sourcetype::cisco:firewall:critical [set_log_type_warnig] source_key = _raw regex = .*%ASA-6 dest_key=MetaData:Sourcetype format=sourcetype::cisco:firewall:error I also have a props that looks like [cisco:firewall] TRANSFORMS-setlogtype_alert=set_log_tyoe_critical TRANSFORMS-setlogtype_critical=set_log_tyoe_error TRANSFORMS-setlogtype_error=set_log_tyoe_warning My question is this: after all that I configured it, but the sourcetype separation is still not possible Do transforms and props look correct? Im testing locally so I can break things all day long. thanks for the assistance ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-01-2024 03:24 AM