i have installed splunk for srx application ,i can see the srx logs from the search application but i can't see them in juniper srx application ,
how can i sove this issue
First you need to fix all of the queries that were imported as part of the application install. It is possible I am doing this the hard way, so maybe someone can give us ideas on how to clean up.
While in the SRX application (web browser) select Settings All Configurations For each SRX Traffic savedsearch in the list, edit the query by replacing the 'srx_traffic' with sourcetype=srx_traffic For each SRX Threat savedsearch in the list, edit the query by replacing the 'srx_threat' with sourcetype=srx_threat
The next step needs to be completed on the splunk server (console session for linux systems).
Locate the splunk directory. For us it was /opt/splunk/ Navigate to the following subfolder etc/apps/SplunkforJuniperSRX/default edit macros.conf Replace every instance of 'srx_traffic' with sourcetype=srx_traffic Replace every instance of 'srx_threat' with sourcetype=srx_threat Replace every instance of action!=CREATE with NOT (action=CREATE)
After completing these changes you should have a working traffic dashboard, but your threat dashboard may remain blank. I will address that issue in a follow on message.
The last issue we saw on this was that our threat messages did not match what was being looked for by the transforms-extract. In reviewing our threat messages we noticed that the threat messages contained the following text:
This is different from the default, and I am not sure if this excludes anything we might need. You should review your own threat messages to ensure that you are getting all of the threats properly tagged. You can update your srxthreat transformation by going to Settings\Fields\Field transformations and selecting srxtreat. The Regular Expression field should match what you see in your threat messages. For us it turned out to be (RTIDS - RTSCREEN_IP).
i have resolve this issue,
i want to tell you that i'm new in splunk ; i want to know how can i generate report from the application for srx because when i try to make a report by example for the top destination address the appli find 100 event but shows nothing .
thanks for your help
Just thinking. You seem to have covered or checked the right areas. I don't know your experience level, but the inputs.conf data is correct? If you want to check that then post it here. Did you restart Splunk? 😉
If all of the above are ok, then take a look at the event data coming through from the native Search end.
i have made the all the steps figured in the readme file :
-change the source type in the inputs.conf file (etc/system/local) to srx_log
-edit the source type in the macros base of the application
but i still have the same issue .
thanks for your help
when i check search/report on srx data -->srx traffic ,the app put 'srxtraffic' in the search field but it foun 0 matching events ,and when i delete 'srxtraffic' and search for 'close' it show the resultat from the logs