Good morning,
I have a problem filtering data from UF.
The scenario:
UF --> Splunk indexer
configuration in UF:
[default]
host = server1
[monitor:///home/user/prueba/]
disabled = false
index = firewall
sourcetype = cisco_asa
queue = parsingQueue
[tcpout]
defaultGroup = splunk
[tcpout:splunk]
disabled = false
server = 1.1.1.1:22222
compressed = false
[tcpout-server://1.1.1.1:22222]
/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/props.conf
[splunktcp://:22222]
TRANSFORMS-set= setnull,setparsing
/opt/splunk/etc/apps/Splunk_for_CiscoASA/local/transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (ASA-4-113019|ASA-5-713120)
DEST_KEY = queue
FORMAT = indexQueue
I received all data and the data isn´t filtred
can you help?
thanks
Hi,
I just did some testing on this topic using the filtering at the UF.
A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf
. For example:
inputs.conf:
[WinEventLog:Security]
disabled = 0
props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0
transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue
After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.
Hi,
now is working. I have changed
[splunktcp://:22222]
for
[cisco_asa]
thanks
yes, i have restard splunk web service.
Can i filter in UF? i think that isn´t posible, only in heavy forwarder.
thanks
Hi,
I just did some testing on this topic using the filtering at the UF.
A short addition to what is discribed in the documentation (link😞 I had to keep my entry in the inputs.conf
. For example:
inputs.conf:
[WinEventLog:Security]
disabled = 0
props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
disabled = 0
transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = Protokoll:[\w]+17
DEST_KEY = queue
FORMAT = indexQueue
After restarting the UF service I only got according filtered events. Of course searching only back to that point in time where I restarted the UF-service.
if i send the logs from firewall to splunk the filter is ok, but if i send the logs by UF the filter not working
thanks
I have configured props.conf and transforms.conf in UF and i receive alls events. I have restarted the service in UF
I guess you did restart or ran "| extract reload=t" und Splunk Web respectively?
You could also do the filtering at the UF.