Hello guys,
I'm not a splunk expert, so my solution might not be the optimal. changing the regex @ /opt/splunk/etc/apps/Splunk_TA_paloalto/default/transforms.conf to accomodate both inputs from PA FW and PA CortexDL.
This new regex was generated from splunk field extraction wizard.
[pan_threat]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,THREAT,
REGEX = ^^(?:[^,\n]*,){3}THREAT,
FORMAT = sourcetype::pan:threat
[pan_traffic]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,TRAFFIC,
REGEX = ^^(?:[^,\n]*,){3}TRAFFIC,
FORMAT = sourcetype::pan:traffic
[pan_system]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,SYSTEM,
REGEX = ^^(?:[^,\n]*,){3}SYSTEM,
FORMAT = sourcetype::pan:system
[pan_config]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,CONFIG,
REGEX = ^^(?:[^,\n]*,){3}CONFIG,
FORMAT = sourcetype::pan:config
[pan_hipmatch]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,HIPMATCH,
REGEX = ^^(?:[^,\n]*,){3}HIPMATCH,
FORMAT = sourcetype::pan:hipmatch
[pan_correlation]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,CORRELATION,
REGEX = ^^(?:[^,\n]*,){3}CORRELATION,
FORMAT = sourcetype::pan:correlation
[pan_userid]
DEST_KEY = MetaData:Sourcetype
REGEX = ^[^,]+,[^,]+,[^,]+,USERID,
REGEX = ^^(?:[^,\n]*,){3}USERID,
FORMAT = sourcetype::pan:userid
... View more