Splunk® App for PCI Compliance

Data Source Integration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Acrobat logo Download topic as PDF

FAQ

I edited the transforms from Splunk Web and now I have content in the local directory. How do I merge this with the default content?

You can merge content from the local directory by copying the stanzas from the file in local directory into the corresponding file in the default directory.

For example say you want to merge the following:

The local transforms file (local/transforms.conf) includes:

   [bluecoat]
   SHOULD_LINEMERGE = false

   [product_static_Proxy]
   REGEX = (.)
   FORMAT = product::"Proxy"

The default transforms file (default/transforms.conf) includes:

   [bluecoat]
   REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat

The combined transforms file (in default/transforms.conf) would look like this:

   [bluecoat]
   SHOULD_LINEMERGE = false
   REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat
   [product_static_Proxy]
   REGEX = (.)
   FORMAT = product::"Proxy"

Once you have migrated all the stanzas, make sure to delete the files in the local directory.

My source data is mostly tab-delimited, but the first three fields are space-delimited... these fields contain the date and time, the log host, and the log type. What should I do?

Put these fields into one field called log_header and ignore it. The fields are not necessary for the technology add-on to function.

Known Issues

Splunk fails to extract values spanning multiple lines

Splunk fails to automatically extract values when those values span multiple lines. The fields are extracted with the correct name but the value is left empty if the original value includes multiple lines.

To work around this issue, create a transform that extracts the entire field. Below is a transform that extracts the multi-line field "message" for the source type "acme_firewall":

In transforms.conf:

   [message_for_acme_firewall]
   REGEX = ,\s+message=\"(.*?)(\",\s+\S+\=)
   FORMAT = message::"$1"

Then, enable the transform in default/props.conf in the technology add-on folder:

   [acme_firewall]
   REPORT-0 message_for_acme_firewall = message_for_acme_firewall
Last modified on 24 August, 2012
PREVIOUS
Example 2: OSSEC
  NEXT
Dashboard Requirements Matrix

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters