Hello everyone,
One of the projects I worked on was to build a filter for ASA logs in Splunk so logs we were not interested in would not be indexed, thus preserving the license. I did that, and it seems to have worked too well. Were we once had maybe 1.5 million events in 24 hours, Splunk now shows less than three hundred. I made the filter with a props.conf and transforms.conf to search for and allow only events that have one of the listed ID numbers, as shown here:
#props.conf
[sourcetype_name]
TRANSFORMS-set=setnull,setparsing
#transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = \d{4}\-\d{2}-\d{2}.+?%ASA\-\d{1}\-(106100|106023|106015)
DEST_KEY = queue
FORMAT = indexQueue
I think I noticed a typo in the original regex (which I can't find now) where one of the numbers had an apostrophe in it. Given that I'm using pipes, though, that shouldn't matter. Indeed, I'm still getting the events I'm filtering for, just much fewer of them. Any ideas?
Edit: To clarify, the problem is not that I'm getting no events, or that the filter is not working, but that I am getting far fewer events than expected of those logs that are indexed. I found a typo in the original file where "DEST_KEY = queue" under [setparsing] is "DSET_KEY = queue". I'm not sure if this is the issue though, as my understanding is that this would set all events to NULL.
... View more