All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk Add-on for Bro IDS on a Splunk 6.4.0 indexer not automatically extracting fields ?

reesb
Engager
‎05-09-2016 06:43 PM

Hi,

I have the a Linux box running Bro 2.4 and the Splunk Universal forwarder (6.4.0) configured to monitor my bro logs and forward to an indexer running Splunk 6.4.0 with the Splunk Add-on for Bro IDS installed.
Splunk is setting the sourcetype correctly (bro_dhcp, bro_files ect..), however, the automatic field extraction is not working.

Is there anything I am missing?

Reply

stoomart
Path Finder
‎02-13-2017 08:32 AM

Resolved by including the props.conf and transforms.conf file on the forwarder along with inputs.conf, which are required to perform INDEXED_EXTRACTIONS
per the document Extract fields from files with structured data.

Reply

macrocksdc
Engager
‎01-29-2021 11:25 AM

Indeed, props.conf, transforms.conf, and inputs.conf (from the Docs) on the UF for the win! The full TA on SH & IDX.

0 Karma
Reply

stoomart
Path Finder
‎02-07-2017 04:32 PM

I'm running into the same issue with EPEL bro-2.4.1-3.el7.x86_64 on CentOS 7 and Splunk 6.5.1. Sourcetype is set correctly, but the dynamic field extraction process isn't working:

props.conf:

[bro]
SHOULD_LINEMERGE = false
TRUNCATE = 0
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %s.%6N
TRANSFORMS-BroAutoType = BroAutoType, TrashComments
INDEXED_EXTRACTIONS = TSV
FIELD_HEADER_REGEX = ^#fields\t(.*)
FIELD_DELIMITER = \t
FIELD_QUOTE = \t

Sample conn.log header:

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   conn
#open   2017-02-07-16-24-39
#fields ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   proto   service duration    orig_bytes  resp_bytes  conn_state  local_orig  local_resp  missed_bytes    history orig_pkts   orig_ip_bytes   resp_pkts   resp_ip_bytes   tunnel_parents
#types  time    string  addr    port    addr    port    enum    string  interval    count   count   string  bool    bool    count   string  count   count   count   count   set[string]
0 Karma
Reply

stoomart
Path Finder
‎02-08-2017 12:01 PM

Also confirmed the same issue with Bro 2.5 installed using the CentOS 7 RPM from: https://www.bro.org/download/packages.html

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...