topic Re: LINE_BREAKER settings works when adding input manually but not through props.conf in Getting Data In

LINE_BREAKER settings works when adding input manually but not through props.conf

att35 — Thu, 22 Oct 2020 16:39:04 GMT

Hi,

I am trying to add Snort data into Splunk by monitoring barnyard2.alert file using Universal Forwarders.

[monitor:///var/log/barnyard2/barnyard2.alert] sourcetype=snort_unified2 index=snort

As explained here https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-line-breaking-a-single-IDS-Alert-event-into-two/m-p/287641#M54947 , I added same settings to props.conf(Indexer and SH) but Splunk still ends up breaking each line as a separate event, as shown below:

props.conf

[snort_unified2] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\[\*\*\] TIME_PREFIX = ^([^\r\n]+[\r\n]+){2} MAX_TIMESTAMP_LOOKAHEAD = 25 TIME_FORMAT = %m/%d-%H:%M:%S.%6N category = Network & Security

But when I try these settings by manually adding same input it works just fine.

Any ideas on what could be going wrong with props.conf?

Thanks,

~Abhi

Re: LINE_BREAKER settings works when adding input manually but not through props.conf

richgalloway — Thu, 22 Oct 2020 19:21:00 GMT

Did you restart the indexers after changing the props.conf file?

Re: LINE_BREAKER settings works when adding input manually but not through props.conf

att35 — Thu, 22 Oct 2020 20:03:39 GMT

Hi @richgalloway ,

Yes. Both Indexer and the Search Head were restarted after making the props.conf change.

Thanks,

~ Abhi

Re: LINE_BREAKER settings works when adding input manually but not through props.conf

samcyber20 — Fri, 23 Oct 2020 01:56:07 GMT

Hi @att35 ,

check props.conf on your UF or try using btool command.

Please let me know if it helps or you found solution already.

Thanks

Sam

Re: LINE_BREAKER settings works when adding input manually but not through props.conf

att35 — Fri, 23 Oct 2020 12:21:44 GMT

Hi @samcyber20

App that we pushed on the endpoints to collect these logs does not have any props.conf. Only inputs.conf with one stanza as I mentioned above.

Does it need a props as well with any of the entries that I added on the Indexer side?

Thanks,

~ Abhi

Re: LINE_BREAKER settings works when adding input manually but not through props.conf

kbehl — Sun, 25 Oct 2020 19:33:26 GMT

This is an index time setting and therefore not required at universal forwarder.

Here is what you can try:

SHOULD_LINEMERGE= true

Along with one of:
BREAK_ONLY_BEFORE,
BREAK_ONLY_AFTER

Re: LINE_BREAKER settings works when adding input manually but not through props.conf

isoutamo — Sun, 25 Oct 2020 20:22:06 GMT

Have you any HF between UF and indexer? If yes the you must put props.conf to the first HF counting from UF. If not then, please try what the next command said
splunk btool props list -debug snort_unified2
r. Ismo

Re: LINE_BREAKER settings works when adding input manually but not through props.conf

samcyber20 — Sun, 25 Oct 2020 23:20:32 GMT

Hi @att35,

use btool command mentioned by @isoutamo .

It will give you much more idea.

Thanks

Sam