- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Using AWS SNS to get data into Splunk. See data co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using AWS SNS to get data into Splunk. See data coming in but dashboards stay empty
Can't use syslog from Deep Security Cloud solution to Splunk Cloud. So I use log forwarding to SNS and in AWS I forward the incoming event to Splunk Cloud. I put the events in the correct sourcetypes in Splunk and I see the data is coming in but dashboards stay empty.
It looks that the names of the items do not match what the app is searching for.
Any ideas where to look?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. I was wondering if you would mind providing details on the component(s) you used to move the data from your SNS topic into splunk cloud.
Thanks,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The general approach is to hover in the lower corner of the dashboard panel and click Open in search. Then you have the search that powers the panel. Now strip off everything after the last pipe ( | ) character and re-run the search. Keep doing this until you have data, then figure out why the stuff you removed isn't working. It will probably be a sourcetype value inside of an eventtype that does not match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks,
If I stripped of everything after the last pipe, I get events.
e.g. Trend App is looking for: cef_severity or dvchost or LI_Description etc. But the SNS log from trend has: severity, OSSEC_Hostname and OSSEC_Description.
I changed the searches trying to find something what matches. And this works...
But, I am afraid when the first update of the trendapp comes along, the original searches are back and the app will break again.
Also I am not sure if the replacement keys I used give the same results as the original.
Question 1: Can I changes the dashboards without consequences for new versions of the trend app?
Question 2: Is there a translation table between the SNS (OSEC etc) and TrendApp (CEF) keys?
I think it is strange that Trend uses different keys for this? But maybe I am the only one 🙂
Thanks
Remco
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A1: No. The consequence is that the KO that you changed will never be changed by app upgrades; your local change will always override those app changes."
A2: I am speaking in generalities and I do not know the specifics of this app and AWS but you should definitely contact the app developer.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
