- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Why is the Splunk Add-on for Bro IDS on a Splu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the Splunk Add-on for Bro IDS on a Splunk 6.4.0 indexer not automatically extracting fields ?
Hi,
I have the a Linux box running Bro 2.4 and the Splunk Universal forwarder (6.4.0) configured to monitor my bro logs and forward to an indexer running Splunk 6.4.0 with the Splunk Add-on for Bro IDS installed.
Splunk is setting the sourcetype correctly (bro_dhcp, bro_files ect..), however, the automatic field extraction is not working.
Is there anything I am missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Resolved by including the props.conf and transforms.conf file on the forwarder along with inputs.conf, which are required to perform INDEXED_EXTRACTIONS
per the document Extract fields from files with structured data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indeed, props.conf, transforms.conf, and inputs.conf (from the Docs) on the UF for the win! The full TA on SH & IDX.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running into the same issue with EPEL bro-2.4.1-3.el7.x86_64 on CentOS 7 and Splunk 6.5.1. Sourcetype is set correctly, but the dynamic field extraction process isn't working:
props.conf:
[bro]
SHOULD_LINEMERGE = false
TRUNCATE = 0
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %s.%6N
TRANSFORMS-BroAutoType = BroAutoType, TrashComments
INDEXED_EXTRACTIONS = TSV
FIELD_HEADER_REGEX = ^#fields\t(.*)
FIELD_DELIMITER = \t
FIELD_QUOTE = \t
Sample conn.log header:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2017-02-07-16-24-39
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also confirmed the same issue with Bro 2.5 installed using the CentOS 7 RPM from: https://www.bro.org/download/packages.html
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
