- Released to a fix a few bugs that we were noticing with date and hostname parsing internally when sometimes there would be a single extra field immediately following the initial timestamp in syslog entries. The first three transforms have been adjusted, and should work universally... however, if you want to go back to the old versions from 1.6, they are still in there under "default/transforms.conf". Comment out the new REGEX and FORMAT entries and uncomment the old ones then restart Splunk to restore the prior behavior.
Updated to allow the extractions to properly work with variances in spacing that we were observing (which were causing none of the extractions to work). Sorry for the oversight.
Added extractions for the SRX CLOSE/CREATE/DENY messages that were cited by mbassettjr in the comments. Thanks for that... unfortunately we only recently implemented functionality to show messages in those formats, so was unable to have that output to test against originally.
All 3 new ones SHOULD be working fine, but I noticed that we have an extra field in our DENY output logs vs mbassettjr's version in the comments. If your results seem off for those messages, take a look at his version below. The other two (CLOSE and CREATE) were implemented directly and work fine for us without modification.
Also, there's now field-aliases in place for "policy_name" to "policy_id", "inbound_interface" to "src_zone" and "outbound_interface" to "dest_zone".
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.