I don't understand how to get Splunk to properly parse the Teardown messages from my ASA cluster. It claims that "bytes" is a host, which it is not.
Here is an example of the messages that are being improperly attributed to "bytes":
<190>May 14 2010 15:08:48: %ASA-6-302016: Teardown UDP connection 77425970 for outside:192.168.2.30/61031 to inside:IN-TDC1/53 duration 0:00:03 bytes 314
<190>May 14 2010 15:08:48: %ASA-6-302014: Teardown TCP connection 77426021 for outside:192.168.2.28/3838 to inside:172.30.21.41/135 duration 0:00:00 bytes 2630 TCP FINs (d397500)
Can anyone give me a pointer as to how I can get it to interpret the log correctly?
... View more