- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- problem filtering data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning,
I have a problem filtering data from UF.
The scenario:
UF --> Splunk indexer
configuration in UF:
inputs.conf
[default]
host = server1
[monitor:///home/user/prueba/]
disabled = false
index = firewall
sourcetype = cisco_asa
queue = parsingQueue
outputs.conf
[tcpout]
defaultGroup = splunk
[tcpout:splunk]
disabled = false
server = 1.1.1.1:22222
compressed = false
[tcpout-server://1.1.1.1:22222]
Configuration in splunk indexer
/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/props.conf
[splunktcp://:22222]
TRANSFORMS-set= setnull,setparsing
/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (ASA-4-113019|ASA-5-713120)
DEST_KEY = queue
FORMAT = indexQueue
I received all data and the data isn´t filtred
can you help?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I just did some testing on this topic using the filtering at the UF.
A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:
inputs.conf:
[WinEventLog:Security]
disabled = 0
props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0
transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue
After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
now is working. I have changed
[splunktcp://:22222]
for
[cisco_asa]
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, i have restard splunk web service.
Can i filter in UF? i think that isn´t posible, only in heavy forwarder.
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I just did some testing on this topic using the filtering at the UF.
A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:
inputs.conf:
[WinEventLog:Security]
disabled = 0
props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0
transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue
After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if i send the logs from firewall to splunk the filter is ok, but if i send the logs by UF the filter not working
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured props.conf and transforms.conf in UF and i receive alls events. I have restarted the service in UF
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess you did restart or ran "| extract reload=t" und Splunk Web respectively?
You could also do the filtering at the UF.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
