I've created this filter and placed them in the config files mentioned below in the following directory:
D:\Program Files (x86)\Splunk\etc\system\local
props.conf
[cisco:asa]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = (?=.*ASA-4-106100)(?=.\b(Built|Teardown|permitted)\b)
DEST_KEY = queue
FORMAT = nullQueue
The filter doesn't seem to work. Anyone have any suggestions?
Thanks
↧