Example data:
Aug 25 10:48:58 172.20.10.253 date=2015-08-25,time=10:48:56,devname=FG300B3909604960,devid=FG300B3909604960,logid=0000000013,type=traffic,subtype=forward,level=notice,vd=root,srcip=172.20.11.64,srcport=56560,srcintf="port1",dstip=207.46.59.27,dstport=50007,dstintf="port7",sessionid=5529335,status=deny,policyid=0,dstcountry="UnitedStates",srccountry="Reserved",trandisp=noop,service=50007/tcp,proto=6,duration=0,sentbyte=0,rcvdbyte=0
I use add common line to props.conf
[source::udp:514]
TRANSFORMS-asa= firewall
and add transforms.conf too
[firewall]
REGEX=(?m)^level=notice
DEST_KEY=queue
FORMAT=nullQueue
but it still does not work. pls help me thanks
the ^ in your regex means you're looking for level=notice at the beginning of the string. In your case you have timestamp. Remove the ^
You can test you regex here: https://regex101.com
i try to delete ^ , and restart splunk service , but still not work ,
i use UDP 514 get firewall log , typ syslog , any one can help me ?
my source name i user : 300D
so how do i type in props.conf?
[300d::udp:514] ? OR [300d:udp:514] ?
where are you using these configs? indexer, universal forwarder or heavy forwarder?