Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Unable to delete some logs with TRANSFORMS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to delete some logs with TRANSFORMS
azanoli
Explorer
02-03-2015
07:01 AM
Hi all
I have problems with 2 transforms for a Cisco IronPort Proxy. I receive 2 different types of logs:
Pacfile download:
Feb 3 15:08:22 ironport2.bank.com Feb 03 15:08:22 pacfile-splunk: Info: 189.149.11.14 - /proxy-ntlm.pac is downloaded successfully
Proxy-Access:
Jan 8 09:22:19 proxy.bank.com Jan 08 09:22:19 accesslogs-splunk: Info: 1420705339.401 307 189.149.128.70 TCP_CLIENT_REFRESH_MISS/200 6439 CONNECT tunnel://eqi.ibb.ubs.com:443/ "MAIN\bsm@MAIN.NTLM" DIRECT/eqi.ibb.ubs.com - PASSTHRU_CUSTOMCAT_7-DefaultGroup-ID.G.URL.Domains.Whitelist-DefaultGroup-NONE-NONE-DefaultGroup <C_G.N0,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",167.79,0,-,"-","-",-,"-",-,-,"-","-"> - "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" - 216.219.78.86 - "G.NoDecryption.BypassScanning" 3438
I want to remove the Pacfile entries with the transform cisco_wsa_pacfile_drop. After them I have to reformat the Proxy-Access logs to delete all entries until the timestamp with the transform cisco_wsa_format_clean.
The second part works well. But the deletion of the Pacfile logs doesn't work.
--- props.conf ---
[cisco:wsa:squid]
TRANSFORMS-wsa_format = cisco_wsa_format_clean,cisco_wsa_format_clean
--- transforms.conf ---
[cisco_wsa_pacfile_drop]
REGEX = ^(.*)pacfile-splunk: Info: (.*)
FORMAT = nullQueue
DEST_KEY = queue
[cisco_wsa_format_clean]
SOURCE_KEY = _raw
REGEX = ^(.*)accesslogs-splunk: Info: (.*)$
FORMAT = $2
DEST_KEY = _raw
Regards, Adriano
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jayannah
Builder
02-03-2015
07:24 AM
Just change the regex and try
[cisco_wsa_pacfile_drop]
REGEX = pacfile-splunk
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
azanoli
Explorer
02-03-2015
08:13 AM
It doesn't work also
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
azanoli
Explorer
02-03-2015
07:07 AM
There are some errors in the config above, here is the corrected version:
--- props.conf ---
[cisco:wsa:squid]
TRANSFORMS-wsa_format = cisco_wsa_pacfile_drop, cisco_wsa_format_clean
--- transforms.conf ---
[cisco_wsa_pacfile_drop]
REGEX = ^(.*)pacfile-splunk(.*)$
FORMAT = nullQueue
DEST_KEY = queue
[cisco_wsa_format_clean]
SOURCE_KEY = _raw
REGEX = ^(.*)accesslogs-splunk: Info: (.*)$
FORMAT = $2
DEST_KEY = _raw
Get Updates on the Splunk Community!
Detecting Remote Code Executions With the Splunk Threat Research Team
REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...
Observability | Use Synthetic Monitoring for Website Metadata Verification
If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
