https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127033#M10102 <P>example bro_notice fields go ts (tab) uid (tab) id.orig_h (tab) etc etc splunk is like ignoring these????? Do I need to manually recreate all the fields????</P> Mon, 28 Sep 2020 19:24:59 GMT cdupuis123 2020-09-28T19:24:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127033#M10102 <P>example bro_notice fields go ts (tab) uid (tab) id.orig_h (tab) etc etc splunk is like ignoring these????? Do I need to manually recreate all the fields????</P> Mon, 28 Sep 2020 19:24:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127033#M10102 cdupuis123 2020-09-28T19:24:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127034#M10103 <P>It is supposed to parse the fields, and it continues to do so in our automated tests and demo environments. I don't know what you're doing differently. You could file a ticket, since it's a supported app, or follow the troubleshooting tips at <A href="http://docs.splunk.com/Documentation/AddOns/released/Overview/Troubleshootadd-ons">http://docs.splunk.com/Documentation/AddOns/released/Overview/Troubleshootadd-ons</A></P> Sat, 11 Apr 2015 21:37:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127034#M10103 jcoates_splunk 2015-04-11T21:37:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127035#M10104 <P>I have exactly the same issue with bro running on linux with a universal forwarder (6.4.0) sending data to an indexer running Splunk Enterprise (also 6.4.0) and the latest bro addon(3.2.0).</P> <P>Is there a fix planned?</P> Tue, 10 May 2016 13:56:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127035#M10104 reesb 2016-05-10T13:56:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127036#M10105 <P>I have a similar issue. I have a search head and separate indexer; there is a universal forwarder sending the Bro log files to the indexer (I'm not bothering with the PCAP stuff for now).</P> <P>Logs are being ingested ok, and my input for the deployment app looks like:</P> <PRE><CODE>[monitor:///usr/local/bro/logs/current] disabled = 0 sourcetype = bro index = bro whitelist = \.log$ </CODE></PRE> <P>The sourcetype is appearing ok but the field extractions aren't working. Am I missing an install/config step?</P> Wed, 01 Jun 2016 16:28:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127036#M10105 alexlomas 2016-06-01T16:28:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127037#M10106 <P>For others' info, universal forwarders are not supported for Bro, you have to run a heavy forwarder with the Bro app installed. Once you have that then the fields extraction works as intended.</P> Wed, 08 Jun 2016 15:09:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-Add-on-for-Bro-IDS-not-automatically/m-p/127037#M10106 alexlomas 2016-06-08T15:09:37Z