All Apps and Add-ons

aws:sqs:securityhub splunk sourcetype jason format

Splunk_rocks
Path Finder

Hello,
Any one have any luck with extracting jason format data for sourcetype foraws:sqs:securityhub.
Currently that sorcetype not extracting properly . Any help will be appreciated ..

0 Karma

livehybrid
Contributor

Hi!
Im not sure if any apps currently extract fields from the aws:sqs:securityhub sourcetype. Is this as sourcetype that you have defined in your Splunk instance?
If so, does it match what you'd expect to see?
Im not familiar with this sourcetype, but is it JSON format? If so, I'd consider adding your own sourcetype and setting kvmode=json

Let me know

Will

0 Karma

Splunk_rocks
Path Finder

Please Im aware all this settings and already using those in my props file its not parsing all fields properly so who ever ingested AWS data they may have experienced same issues.
so im looking more in depth answer who ever used this sourcetype ... not simple props transforms things ..

TIA..

0 Karma

Aatom
Explorer

@Splunk_rocks 

Hey, I am having issues with SecurityHub parsing as well. Did you ever find a solution?

 

This is my issue. Let me know if you found a solution.

https://community.splunk.com/t5/Getting-Data-In/How-to-SEDCMD-nested-json-calculated-as-string/m-p/5...

 

Thanks!

 

0 Karma