Lookups for the Splunk Add-on for Cisco ASA¶
Note
In version 6.0.0 of the Splunk Add-on for Cisco ASA, you must
use the lookup file cisco_asa_action_lookup_600.csv instead of
cisco_asa_action_lookup.csv or cisco_asa_action_lookup_520.csv.
For the corresponding stanza, cisco_asa_action_lookup or
cisco_asa_action_lookup_520, use cisco_asa_action_lookup_600.
The Splunk Add-on for Cisco ASA provides the following
lookups. The lookup files map fields
from Cisco ASA systems to CIM-compliant values in the Splunk platform.
The lookup files are located in
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-asa/lookups:
| File name | Description |
|---|---|
cisco_asa_action_lookup_600.csv |
CSV Lookup. Based on vendor_action andmessage_id fields, lookup populates the action field. |
cisco_asa_change_analysis_lookup.csv |
CSV Lookup. Based on a specific message_id field, lookup populates the following fields: change_class, change_description, change_type, and object_type. |
| cisco_asa_protocol_version.csv | CSV Lookup. Based on src and dest fields, the lookup determines whether the IPv4 or IPv6 protocol is implemented. |
cisco_asa_severity_lookup_600.csv |
CSV Lookup. Based on signature_id, lookup extracts vendor_severity, and severity. |
cisco_asa_syslog_severity_lookup.csv |
CSV Lookup. Based on the log_level field, the lookup extracts severity_level, and description. |
cisco_asa_vendor_class_lookup.csv |
CSV Lookup. Based on the message_id field, this lookup extracts the vendor_class and vendor_definition. |