splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 9 LAB · LAB 9 — ONBOARD A NEW SOURCE· week 2
Onboard a misconfigured firewall feed — write props/transforms.
- ›Cisco ASA logs arriving as sourcetype=too_small.
- ›Write props.conf: TIME_FORMAT, LINE_BREAKER, sourcetype.
- ›transforms.conf: SEDCMD to mask credit cards.
- ›Validate with btool.
Hint: too_small = Splunk couldn't determine sourcetype. Fix at props.conf.
New Search
supported: search field=value (wildcards) · stats count by f1,f2 · where field op N · sort -field · top N field · head N · table f1 f2