All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The events are not parsing

jibin1988
Path Finder
‎11-30-2019 11:46 PM

Hi,
I am using Expanded Snare syslog app in HF. But the problem here is the data is not getting parsed as per the props.conf in the app.

Do we have to install this app in indexers as well ? OR HF will do the parsing before sending the logs to indexers?

Please help!!

props.conf :

[windows_snare_syslog]
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
REPORT-colon_1 = snare_colon_1
REPORT-colon_2 = snare_colon_2
#REPORT-colon_3 = snare_colon_3

EXTRACT-Event_ID = (?i)^(?:[^\t]*\t){5}(?P[^\t]+)
EXTRACT-Event_Log = (?i)^(?:[^\t]*\t){2}(?P[^\t]+)
EXTRACT-Event_Source = (?i)^(?:[^\t]*\t){6}(?P[^\t]+)

SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2019 07:51 AM

For props.conf files, best-practice is to deploy EVERYWHERE. In your case, you must deploy:

These go to the HF:

 [windows_snare_syslog]
 MAX_TIMESTAMP_LOOKAHEAD = 32
 TRANSFORMS = syslog-host
 SHOULD_LINEMERGE = False
 TIME_FORMAT = %b %d %H:%M:%S

These go to Search Head:

 [windows_snare_syslog]
 REPORT-syslog = syslog-extractions
 REPORT-colon_1 = snare_colon_1
 REPORT-colon_2 = snare_colon_2
 #REPORT-colon_3 = snare_colon_3
 EXTRACT-Event_ID = (?i)^(?:[^\t]*\t){5}(?P[^\t]+)
 EXTRACT-Event_Log = (?i)^(?:[^\t]*\t){2}(?P[^\t]+)
 EXTRACT-Event_Source = (?i)^(?:[^\t]*\t){6}(?P[^\t]+)

But just deploy it everywhere.

0 Karma
Reply

oscar84x
Contributor
‎12-02-2019 10:08 AM

The HF alone should do the trick but you could put the props and transforms on both the indexer and the HF just in case.
More importantly though, this seems to be a very old app. Have you checked that the extracts/regex, timestamps, etc in the app match the patterns on your events?

0 Karma
Reply

sanjeev543
Communicator
‎12-03-2019 04:56 AM

Hi @jibin1988 could you please be more specific, what exactly is not getting parsed?
Is it line breaking? time stamp or field extractions?

Also please provide some sample events for us to check and identify the issue

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...