soc30 / lms
connected
back to day 9
WEEK_2 · DAY_09 · LAB

Lab 9 — Onboard a New Source

props.conf, transforms.conf, sourcetypes, time extraction, field extraction

LAB PROGRESS0/4 steps · 0%

Lab Objectives

  • Onboard a new data source end-to-end
  • Configure props.conf for line-breaking, timestamps, sourcetypes
  • Use transforms.conf for routing, masking, index-time fields
  • Validate parsing with btool and the data preview UI

Lab Instructions

  1. 1
    Imagine Cisco ASA firewall logs are arriving with sourcetype=too_small.
  2. 2
    Write props.conf: set sourcetype, TIME_FORMAT, LINE_BREAKER.
  3. 3
    Add transforms.conf to mask credit-card numbers (SEDCMD).
  4. 4
    Validate with btool and a sample search.

SPL for this Lab

Find a misconfigured sourcetype open in Splunk
index=* sourcetype=too_small earliest=-1h
| stats count by host, source
// too_small = Splunk couldn't determine sourcetype — fix props.conf.
← LAB 8
Lab 8 — Architect a Splunk Deployment
LAB 10
Lab 10 — Five Beginner Queries