Hi Mario,
Thanks for your reply.
Here are the steps i have already performed.
1.Created logging profile on F5 and ASM log is forwarded over to splunk over tcp 9998
2.Splunk configured to listed on 9998 and logs sent to file asm_log
3.Edited /etc/apps/SplunkforF5Security/default/props.conf and uncommented REPORT-fields = asm_extract_10
4.Edited \etc\apps\splunkforf5security\default\transforms.conf and changed the order of fields under [asm_extract_10] to reflect the order of "storage format" under the logging profile in f5.
FIELDS = "request", "response_code", "method", "protocol", "uri", "query_string", "ip_client", "web_application_name", "violations", "unit_hostname", "management_ip_address", "policy_name", "policy_apply_date", "x_forwarded_for_header_value", "support_id", "request_status", "sig_ids", "sig_names", "date_time", "severity", "attack_type", "src_port", "dest_port", "dest_ip", "geo_location", "sub_violations", "violation_details"
After this i was able to get the Web_application_name etc listed correctly in the log search screen. However, the dashboard was not getting updated.
Based on your comment, i copied the props.conf file from /default to the /local directory and restarted splunk but still none of the dashboard gets updated.
... View more