1. Splunk Monitor D:\Firewall-Log-Splunk\filter-tpe-asa5550* file
2. Use 【props.conf】 TRANSFORMS-set
3. Define transforms.conf to filter event include string "0x"
4. After configure need restart splunk service.
C:\Program Files\Splunk\etc\apps\search\local
inputs.conf
===================================================================
[monitor://J:\Firewall-Log-Check]
disabled = false
index = firewall-log-check
whitelist =
[monitor://D:\Firewall-Log-Splunk]
disabled = false
index = tpe-asa5550
whitelist = filter-tpe-asa5550*
[monitor://D:\014-FirewallLog-Splunk]
disabled = false
index = 014-firewalllog-splunk
whitelist = tpe-014pix*
C:\Program Files\Splunk\etc\apps\learned\local
props.conf(與【資料輸入】->【檔案和目錄】->【來源類型】有關)
=================================================================
[filter-tpe-asa]
TRANSFORMS-set = setnull, setparsing
MAX_TIMESTAMP_LOOKAHEAD = 36
is_valid = True
C:\Program Files\Splunk\etc\system\local
transforms.conf(與【欄位】->【欄位轉換】有關)
=================================================================
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = 0x
DEST_KEY = queue
FORMAT = indexQueue
沒有留言:
張貼留言