topic Re: Why is Splunk for Snort only displaying data from 12AM to 1AM? in All Apps and Add-ons

Why is Splunk for Snort only displaying data from 12AM to 1AM?

rbt111 — Wed, 02 Nov 2011 12:31:41 GMT

OK I am not crazy here I've seen this on two different machines that I've been running SplunkforSnort on.

I set up the devices to pull from the '/var/log/snort/alert' log on the box and give them a manual sourcetype of 'snort'. When I first set both boxes up things worked great. Then after about 5-7 days the application exihibits a strange behavior. It only displays the data from 12am to 1am. Has anyone else experienced this?

When I tail -f the log file I see snort alerts coming in and even when I set SplunkforSnort to 1min realtime I see the number of scanned events increase but the results shows as zero.

I am using snort 2.9.0.4 and Splunk 4.2.3 if that helps.

Re: Why is Splunk for Snort only displaying data from 12AM to 1AM?

Ayn — Wed, 02 Nov 2011 13:05:53 GMT

Splunk for Snort relies on a number of field extractions to work. If you manually search for sourcetype="snort" in the default search app, do you get results with both correct timestamps and correct field extractions, for instance do you see the "src_ip" and "signature" fields to the left?

Re: Why is Splunk for Snort only displaying data from 12AM to 1AM?

rbt111 — Wed, 02 Nov 2011 14:01:47 GMT

I went to the default search app and entered sourcetype="snort" as you specified. It appears to be showing the same thing that the SplunkforSnort app shows meaning I can see scanned events incrementing but the number of matching events remains at zero. I do not see any of the field extractions in the left column with Field Discovery in the on position.

Re: Why is Splunk for Snort only displaying data from 12AM to 1AM?

Ayn — Wed, 02 Nov 2011 15:28:21 GMT

If there are no matching events you're having a problem getting the snort events into Splunk. The scanned events you're seeing that is incrementing is simply ALL events in Splunk's index. If no events with sourcetype "snort" are found, it's because no such events exist in the index. Check your input.

Re: Why is Splunk for Snort only displaying data from 12AM to 1AM?

rbt111 — Thu, 03 Nov 2011 00:35:16 GMT

Thank you for your assistance Ayn.

I see what is going on now my timestamp got messed up.

Example I'm showing

2/19/11
7:22:19.445 PM

For an alert @ 11/02-19:22:19.445432

It looks like I may need to modify something in props.conf but I'm not 100% sure.

Re: Why is Splunk for Snort only displaying data from 12AM to 1AM?

rbt111 — Thu, 03 Nov 2011 03:53:13 GMT

OK it appears to be working now. Just a simple matter of using the snort command with -y to include the year in the logs.

Re: Why is Splunk for Snort only displaying data from 12AM to 1AM?

Ayn — Thu, 03 Nov 2011 05:24:30 GMT

Excellent. Do let me know if you have any more questions, comments or suggestions regarding the Snort app (I wrote it), and please vote it up if you find it useful 🙂

Also please mark my (or your) answer as accepted so it shows clearly on the site that this question is closed.

Re: Why is Splunk for Snort only displaying data from 12AM to 1AM?

jbyrge0 — Fri, 20 Mar 2015 20:29:08 GMT

For an alert @ 11/02-19:22:19.445432

What is the .445432 part of that alert? is it milliseconds?