When you do this you need to place the broadest transforms statement first in your props.
props.conf:
[cisco:asa]
TRANSFORMS-ASA6=ASA4,ASA1,ASA6
transforms.conf
[ASA6]
REGEX = ASA-6-725003
DEST_KEY = _TCP_ROUTING
FORMAT = test1,test2
[ASA1]
REGEX = ASA-[6]-*
DEST_KEY=_TCP_ROUTING
FORMAT=test2
[ASA4]
REGEX = ASA-[1|2|3|4|5]
DEST_KEY = _TCP_ROUTING
FORMAT = test1,test2
Since we are filtering on ASA 6 data we want to list the transform statement that is for the broadest range so in the example we want to list ASA1 before ASA6. ASA 4 Can be listed at any point. This is because splunk is setting flags on the data and by doing the narrow first than the broad the broad is over writing the flag on the narrow. So all data flow to ASA1 instead of the intended target.
... View more