All Apps and Add-ons

Splunk for Juniper SRX - Events Indexed is climbing however I can't view the results

bmilo
New Member

I've got an SRX 220, set to spit out logs to the Splunk. Events Indexed is at 2,475 and climbing over the last 4 hours. In troubleshooting the config, I made a couple of edits related to the inputs.conf file, so I'd to ensure that these are correct.

  • [udp://514]
  • host = servername
  • connection_host = ip
  • sourcetype = syslog //I've read some conflicting posts about using a custom srx_log instead of syslog//
  • no_appending_timestamp = true //added this line after reading a couple of threads that said it was necessary//

My issues is that when I go into the App: Splunk for Juniper SRX, regardless if I go to the y the Traffic Dashboard or the Application Dashboard, I'm receiving No results found. Inspect...

I'm not sure if I've banged up the config within Splunk, or if I'm not sending the correct data out of the SRX. Any help would be greatly appreciated.

Tags (1)
0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

The sourcetype needs to be "srx_log".

The README file specifically mentions this. The data comes in as srx_log and then gets split into two other sourcetypes "srx_threat" and "srx_traffic". You can see this by going to the app and looking at the file in default called props.conf, transforms.conf and macros.conf.

In macros.conf you will see the base macros are expecting your data to have certain sourcetypes. All of the other searches are based off of this.

0 Karma

bmilo
New Member

Version 6.1
search sourcetype=syslog results in page with a left column and main view. The left column is filled with Seclected Fields, host (7) / source (1) / sourcetype (1), followed below by Interesting Fields: Date_hour, Date_mday, date_minute, date_month, etc.

My main view window lists i, time and event columns, with a slew of info within those columns.

  • Various things like
  • uplink is eth0
  • ace_reporter.reporter_inform_send(): connect (http://ip:8080/inform, ip=192...) in progress.
  • infctld.mcast_beacon()uplink-monitor.update() prev observation is eth[eth0]
0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

What version of Splunk?

Also, can you tell us what you see if you just go to the search app and type in a search sourcetype=syslog?

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...