Hi,
I'm trying to extract a fields using props.conf,it's not working as expected.Is there a better way to extract them?
event:
May 4 13:37:50 abcd fdf: Protocol: TCP, SrcIP: 111.111.111.12, OriginalClientIP: ::, DstIP: 110.112.113.114, SrcPort: 56896, DstPort: 80, TCPFlags: 0x0, IngressZone: INSIDE, EgressZone: OUTSIDE, DE: Primary Detection Engine (dsdsdasdsda), Policy: C_POLICY, ConnectType: Start, AccessControlRuleName: inside to outside, AccessControlRuleAction: Allow, Prefilter Policy: r_Prefilter, UserName: No Authentication Required, UserAgent: Mozilla/5.0 (compatible; MSIE 8.0;), Client: Internet Explorer, ClientVersion: 8.0, ApplicationProtocol: HTTP, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 394, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, ReferencedHost: splunk.com, URLCategory: Business and Economy, URLReputation: Well known, URL: http://splunk.com/
To the add-on props, I added field 'rule' fro extraction, its not working.
[cisco:ftd]
SHOULD_LINEMERGE = 0
TIME_FORMAT = %b %d %H:%M:%S
category = Network & Security
description = Output produced by the Cisco Firepower Thereat Defense (FTD) Firew all
pulldown_type = 1
EXTRACT-AccessControlRuleName = AccessControlRuleName:\s(?(.*?))(,|\z)
EXTRACT-SrcIP = SrcIP:\s(?(.*?))(,|\z)
EXTRACT-DE = DE:\s(?(.*?))(,|\z)
EXTRACT-DNSResponseType = DNSResponseType:\s(?(.*?))(,|\z)
EXTRACT-DstIP = DstIP:\s(?(.*?))(,|\z)
... View more