Solved: Parsing Issue

rbonfadini · ‎04-04-2018

I have the 6.0.2 TA deployed per the instructions.

I'm receiving parsed logs for pan:threat, config, traffic, and system. I'm still receiving pan:log, which I believe should be parsing out to pan:hipmatch.

What may be the issue where some, but not all sourcetypes are being parsed out correctly?

splunker12er · ‎04-04-2018

Check your TA props.conf - stanza TRANSFORMS-sourcetype has config for pan_hipmatch and in your transforms.conf you can verify the stanza [pan_hipmatch] and confirm the REGEX that would need to match your log source - if there it should route the log source to this particular sourcetype and parse accordingly..

View solution in original post

splunker12er · ‎04-04-2018

Check your TA props.conf - stanza TRANSFORMS-sourcetype has config for pan_hipmatch and in your transforms.conf you can verify the stanza [pan_hipmatch] and confirm the REGEX that would need to match your log source - if there it should route the log source to this particular sourcetype and parse accordingly..

rbonfadini · ‎04-05-2018

You were correct. OOTB transforms.conf regex for hipmatch wasn't lining up with our log output. Had to tweak the regex. Thank you.

Parsing Issue

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?