Lookups for the Splunk Add-on for Cisco ASA
In version 5.2.0 and later of the Splunk Add-on for Cisco ASA, you must use the lookup file cisco_asa_action_lookup_520.csv instead of cisco_asa_action_lookup.csv. For the corresponding stanza, cisco_asa_action_lookup, use cisco_asa_action_lookup_520.
The Splunk Add-on for Cisco ASA provides the following lookups. The lookup files map fields from Cisco ASA systems to CIM-compliant values in the Splunk platform. The lookup files are located in
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/lookups:
| File name | Description |
|---|---|
cisco_asa_action_lookup_520.csv
|
CSV Lookup. Based on vendor_action and message_id fields, lookup populates the action field.
|
cisco_asa_change_analysis_lookup.csv
|
CSV Lookup. Based on a specific message_id field, lookup populates the following fields: change_class, change_description, change_type, and object_type.
|
| cisco_asa_protocol_version.csv | CSV Lookup. Based on src and dest fields, the lookup determines whether the IPv4 or IPv6 protocol is implemented.
|
cisco_asa_severity_lookup.csv
|
CSV Lookup. Based on signature_id, lookup extracts vendor_severity, and severity.
|
cisco_asa_syslog_severity_lookup.csv
|
CSV Lookup. Based on the log_level field, the lookup extracts severity_level, and description.
|
cisco_asa_vendor_class_lookup.csv
|
CSV Lookup. Based on the message_id field, this lookup extracts the vendor_class and vendor_definition.
|
Last modified on 29 May, 2024
| Source and event types for the Splunk Add-on for Cisco ASA | Release notes for the Splunk Add-on for Cisco ASA |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!