All Apps and Add-ons

Splunk for Juniper SRX - Events Indexed is climbing however I can't view the results

bmilo
New Member

I've got an SRX 220, set to spit out logs to the Splunk. Events Indexed is at 2,475 and climbing over the last 4 hours. In troubleshooting the config, I made a couple of edits related to the inputs.conf file, so I'd to ensure that these are correct.

  • [udp://514]
  • host = servername
  • connection_host = ip
  • sourcetype = syslog //I've read some conflicting posts about using a custom srx_log instead of syslog//
  • no_appending_timestamp = true //added this line after reading a couple of threads that said it was necessary//

My issues is that when I go into the App: Splunk for Juniper SRX, regardless if I go to the y the Traffic Dashboard or the Application Dashboard, I'm receiving No results found. Inspect...

I'm not sure if I've banged up the config within Splunk, or if I'm not sending the correct data out of the SRX. Any help would be greatly appreciated.

Tags (1)
0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

The sourcetype needs to be "srx_log".

The README file specifically mentions this. The data comes in as srx_log and then gets split into two other sourcetypes "srx_threat" and "srx_traffic". You can see this by going to the app and looking at the file in default called props.conf, transforms.conf and macros.conf.

In macros.conf you will see the base macros are expecting your data to have certain sourcetypes. All of the other searches are based off of this.

0 Karma

bmilo
New Member

Version 6.1
search sourcetype=syslog results in page with a left column and main view. The left column is filled with Seclected Fields, host (7) / source (1) / sourcetype (1), followed below by Interesting Fields: Date_hour, Date_mday, date_minute, date_month, etc.

My main view window lists i, time and event columns, with a slew of info within those columns.

  • Various things like
  • uplink is eth0
  • ace_reporter.reporter_inform_send(): connect (http://ip:8080/inform, ip=192...) in progress.
  • infctld.mcast_beacon()uplink-monitor.update() prev observation is eth[eth0]
0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

What version of Splunk?

Also, can you tell us what you see if you just go to the search app and type in a search sourcetype=syslog?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...