All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Palo Alto Networks App transforms

jaoui
Path Finder
‎01-18-2012 08:55 AM

I was wondering if someone could help me properly tag my Palo Alto events

they come in like the following but don't match the transform listed in the default:
Jan 18 07:11:24 pan.network.local 07: 11:24,0005C100436,TRAFFIC,end,1,2012/01/18 07:11:23,100.111.133.229,65.55.202.157,0.0.0.0,0.0.0.0,Base_Policy,,,live-mesh-base,vsys1,trust,untrust,ae1,ae2,Enterprise Forwarding,2012/01/18 07:11:23,351785,1,61561,443,0,0,0x0,tcp,allow,57679,57679,0,15,2012/01/18 07:08:51,150,internet-communications,0,879109,0x0,United States,United States,0,15,0

so i created my own but i think i'm missing something:

[extract_traffic]
DELIMS = ","
FIELDS = "junk", "serial", "log_type", "log_subtype", "config_ver", "time_generated", "src_ip","dst_ip", "nat_src_ip", "nat_dst_ip", "rule", "src_user", "dst_user", "app", "vsys", "src_zone", "dst_zone", "src_interface","dst_interface", "log_fwd_profile", "time_logged", "session_id", "repeat_cnt", "src_port", "dst_port", "nat_src_port", "nat_dst_port", "flags", "proto", "action", "bytes", "bytes_sent", "bytes_received", "packets", "time_started", "elapsed", "padding"

anyone able to help speak to what each field should be in my sample log to get this app to fully work?

0 Karma
Reply

kbains
Splunk Employee
Splunk Employee
‎01-24-2012 03:23 PM

Hmm I missed your update on this question. Why don't you email me directly _at_splunk.com.

0 Karma
Reply

kbains
Splunk Employee
Splunk Employee
‎01-18-2012 12:00 PM

The config looks good. Where did you make this change? It should be in $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/transforms.conf

Reply

jaoui
Path Finder
‎01-18-2012 12:10 PM

Dude! you rock for the response time!
i just feel like i am missing something, especially because i couldnt figure out what the field "domain" that you include in default/transforms.conf was supposed to be

is it maybe i'm receiving a different kind of timestamp than you do?

thank you for a most wicked App BTW! The IT Security team seem to really like it and it's helped generate interest for Splunk as a whole 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...