Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

index time extraction not working

aamer86
Path Finder
‎07-05-2021 09:15 AM

Hi, 

 

I have a HEC input on an indexer. 

I am trying to send Palo Alto Traffic Logs over HEC

I have the this stanza in the props.conf 

[source::hec]

pulldown_type = true

SHOULD_LINEMERGE = false

TIME_PREFIX = ^(?:[^,]*,){5}

MAX_TIMESTAMP_LOOKAHEAD = 100

#TRANSFORMS-sourcetype =  pan_traffic

REPORT-trafic_fields = pan_trafic_fields

 

 

and this in transforms.conf 

[pan_trafic_fields]

DELIMS = ","

FIELDS = "receive_time","serial_number","log_type","log_subtype","src_ip","dest_ip","rule","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","session_id","repeat_count","src_port","dest_port","transport","action","bytes","bytes_out","bytes_in","packets","start_time","duration","http_category","sequence_number","src_location","dest_location","packets_out","packets_in","session_end_reason","dvc_name","action_source","tunnel_id"

 

I am trying to test it with curl

curl -k "https://172.31.72.93:8088/services/collector/raw?cca3-f29f63e09fdc&sourcetype=pan:log" -H "Authorization: Splunk 92a1a276-eee8-XXXX-XXXX-11d002640ad0" -d '"2021/07/05 12:30:06",44A1B3FC68F5304,TRAFFIC,end,103.125.191.136,10.0.0.10,splunk,incomplete,vsys1,untrusted,trusted,ethernet1/3,ethernet1/2,log-forwarding-default,574277,1,52564,8088,tcp,allow,74,74,0,1,"2021/07/05 12:30:06",0,any,730218,"United States",10.0.0.0-10.255.255.255,1,0,aged-out,PA-VM,from-policy,0'

the Sourcetype is being recognised by Splunk as pan:traffic as expected but the parsing is not working on the indexers and no fields are showing in my search 

am i missing something here 

 

 

Labels (1)
Labels
0 Karma
Reply

Gene
Path Finder
‎07-06-2021 02:13 AM

Why don't you use app\addon for PaloAlto? It extracts fields without problems. Also according to your props.conf - sourcetype recognition is commented, so looks like it happens somewhere else.
#TRANSFORMS-sourcetype =  pan_traffic

You can also try to download application and check config files there (easiest way) - so you will have some clue on how to modify your configs or copy them to your system.

 

Thank, Gene

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎07-06-2021 12:22 AM

Hi,

I think this should work with the transform that change sourcetype uncommented.

Then move the REPORTS stanza is in a sourcetype scope not a source

so

[pan:trafic]

REPORT-trafic_fields = pan_trafic_fields

(make sure this config is also present on sh so deploy the whole sh + idx)

 

that makes at least things much easier to debug with such things scoped at sourcetype level

 

 

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎07-06-2021 12:23 AM

btw reports is a search time extraction

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...