- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Palo Alto Networks App and Add-on for Splunk: ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I am trying to filter out 'url' events from the Palo Alto Networks App and Add-on for Splunk because it is causing us to go over our license limit.
I have a transform that i put together in ./etc/apps/Splunk_TA_paloalto/default/props.conf :
[pan:threat]
SHOULD_LINEMERGE = false
# My addition below to Filter out URL Logs:
TRANSFORMS-urlfilter = urlfilter
and ./etc/apps/Splunk_TA_paloalto/default/transforms.conf
[urlfilter]
REGEX=^.*(THREAT,url,).*(informational).*$
DEST_KEY=queue
FORMAT=nullQueue
After making these changes, I restarted splunk.
Where do i see debugging information as to why this doesn't work?
Also, if you can see why it isn't working can you please share? 🙂
Lastly, is there an easier way to do this: the field that i am searching for is already extracted with this TA:
field: log_subtype
value i am trying to avoid indexing: 'url'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do something similar:
In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.
Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do something similar:
In your particular case, try to pull the transform you're defining into the [pan:log] stanza in your props.conf. I seem to remember trying what you're doing and it didn't work under [pan:threat] - moving it up to pan:log worked - it might be some sort of race condition.
Also, put your work under /local - it should work just fine merging the changes and you won't lose them if you upgrade the TA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! that was it.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
