Solved: Re: problem filtering data

fahrenheit · ‎03-20-2013

Good morning,

I have a problem filtering data from UF.

The scenario:

UF --> Splunk indexer

configuration in UF:

inputs.conf

[default]

host = server1

[monitor:///home/user/prueba/]

disabled = false

index = firewall

sourcetype = cisco_asa

queue = parsingQueue

outputs.conf

[tcpout]

defaultGroup = splunk

[tcpout:splunk]

disabled = false

server = 1.1.1.1:22222

compressed = false

[tcpout-server://1.1.1.1:22222]

Configuration in splunk indexer

/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/props.conf

[splunktcp://:22222]

TRANSFORMS-set= setnull,setparsing

/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf

[setnull]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[setparsing]

REGEX = (ASA-4-113019|ASA-5-713120)

DEST_KEY = queue

FORMAT = indexQueue

I received all data and the data isn´t filtred

can you help?

thanks

bjoernjensen · ‎03-20-2013

Hi,

I just did some testing on this topic using the filtering at the UF.

A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:

inputs.conf: [WinEventLog:Security] disabled = 0

props.conf: [WinEventLog:Security] TRANSFORMS-set= setnull,setparsing disabled = 0

transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue

[setparsing] REGEX = Protokoll:[\w]+17 DEST_KEY = queue FORMAT = indexQueue

After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.

View solution in original post

fahrenheit · ‎03-20-2013

Hi,

now is working. I have changed

[splunktcp://:22222]

for

[cisco_asa]

thanks

fahrenheit · ‎03-20-2013

yes, i have restard splunk web service.

Can i filter in UF? i think that isn´t posible, only in heavy forwarder.

thanks

bjoernjensen · ‎03-20-2013

Hi,

I just did some testing on this topic using the filtering at the UF.

A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf. For example:

inputs.conf: [WinEventLog:Security] disabled = 0

props.conf: [WinEventLog:Security] TRANSFORMS-set= setnull,setparsing disabled = 0

transforms.conf: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue

[setparsing] REGEX = Protokoll:[\w]+17 DEST_KEY = queue FORMAT = indexQueue

After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.

fahrenheit · ‎03-20-2013

if i send the logs from firewall to splunk the filter is ok, but if i send the logs by UF the filter not working

thanks

fahrenheit · ‎03-20-2013

I have configured props.conf and transforms.conf in UF and i receive alls events. I have restarted the service in UF

bjoernjensen · ‎03-20-2013

I guess you did restart or ran "| extract reload=t" und Splunk Web respectively?

You could also do the filtering at the UF.

problem filtering data

inputs.conf

outputs.conf

Configuration in splunk indexer

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio