You get an upvote just for helping; how 'bout that!? But no, the ASA version has not changed; what's changed is Splunk, apps & add-ons have been upgraded. But like I said, going to the Splunk_TA_cisco-asa/default/transforms.conf and copying the REGEX from below, Splunk matches it to events in search but the field is not extracted thus causing eventtypes not to work which in-turn cause CIM tags not to be applied correctly. [cisco_asa_message_id_722041] REGEX = -722041:\s*TunnelGroup\s+(?:\<\s*)?(?<tunnel_group>[^\>\s]+)(?:\s*\>)?\s+GroupPolicy\s+(?:\<\s*)?(?<group_policy>[^\>\s]+)(?:\s*\>)?\s+User\s+(?:\<\s*)?(?<user>[^\>\s]+)(?:\s*\>)?\s+IP\s+(?:\<\s*)?(?<src_ip>[^\>\s]+)(?:\s*\>)?
... View more