All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The events are not parsing

jibin1988
Path Finder
‎11-30-2019 11:46 PM

Hi,
I am using Expanded Snare syslog app in HF. But the problem here is the data is not getting parsed as per the props.conf in the app.

Do we have to install this app in indexers as well ? OR HF will do the parsing before sending the logs to indexers?

Please help!!

props.conf :

[windows_snare_syslog]
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
REPORT-colon_1 = snare_colon_1
REPORT-colon_2 = snare_colon_2
#REPORT-colon_3 = snare_colon_3

EXTRACT-Event_ID = (?i)^(?:[^\t]*\t){5}(?P[^\t]+)
EXTRACT-Event_Log = (?i)^(?:[^\t]*\t){2}(?P[^\t]+)
EXTRACT-Event_Source = (?i)^(?:[^\t]*\t){6}(?P[^\t]+)

SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2019 07:51 AM

For props.conf files, best-practice is to deploy EVERYWHERE. In your case, you must deploy:

These go to the HF:

 [windows_snare_syslog]
 MAX_TIMESTAMP_LOOKAHEAD = 32
 TRANSFORMS = syslog-host
 SHOULD_LINEMERGE = False
 TIME_FORMAT = %b %d %H:%M:%S

These go to Search Head:

 [windows_snare_syslog]
 REPORT-syslog = syslog-extractions
 REPORT-colon_1 = snare_colon_1
 REPORT-colon_2 = snare_colon_2
 #REPORT-colon_3 = snare_colon_3
 EXTRACT-Event_ID = (?i)^(?:[^\t]*\t){5}(?P[^\t]+)
 EXTRACT-Event_Log = (?i)^(?:[^\t]*\t){2}(?P[^\t]+)
 EXTRACT-Event_Source = (?i)^(?:[^\t]*\t){6}(?P[^\t]+)

But just deploy it everywhere.

0 Karma
Reply

oscar84x
Contributor
‎12-02-2019 10:08 AM

The HF alone should do the trick but you could put the props and transforms on both the indexer and the HF just in case.
More importantly though, this seems to be a very old app. Have you checked that the extracts/regex, timestamps, etc in the app match the patterns on your events?

0 Karma
Reply

sanjeev543
Communicator
‎12-03-2019 04:56 AM

Hi @jibin1988 could you please be more specific, what exactly is not getting parsed?
Is it line breaking? time stamp or field extractions?

Also please provide some sample events for us to check and identify the issue

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...