Lookups for the Splunk Add-on for Cisco ASA
In version 5.2.0 and later of the Splunk Add-on for Cisco ASA, you must use the lookup file cisco_asa_action_lookup_520.csv
instead of cisco_asa_action_lookup.csv
. For the corresponding stanza, cisco_asa_action_lookup
, use cisco_asa_action_lookup_520
.
The Splunk Add-on for Cisco ASA provides the following lookups. The lookup files map fields from Cisco ASA systems to CIM-compliant values in the Splunk platform. The lookup files are located in
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/lookups
:
File name | Description |
---|---|
cisco_asa_action_lookup_520.csv
|
CSV Lookup. Based on vendor_action and message_id fields, lookup populates the action field.
|
cisco_asa_change_analysis_lookup.csv
|
CSV Lookup. Based on a specific message_id field, lookup populates the following fields: change_class , change_description , change_type , and object_type .
|
cisco_asa_protocol_version.csv | CSV Lookup. Based on src and dest fields, the lookup determines whether the IPv4 or IPv6 protocol is implemented.
|
cisco_asa_severity_lookup.csv
|
CSV Lookup. Based on signature_id , lookup extracts vendor_severity , and severity .
|
cisco_asa_syslog_severity_lookup.csv
|
CSV Lookup. Based on the log_level field, the lookup extracts severity_level , and description .
|
cisco_asa_vendor_class_lookup.csv
|
CSV Lookup. Based on the message_id field, this lookup extracts the vendor_class and vendor_definition .
|
Source and event types for the Splunk Add-on for Cisco ASA | Release notes for the Splunk Add-on for Cisco ASA |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!