Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event Logs sent to from heavy forwarders to Indexers and Qradar will be the same?

R_M
Loves-to-Learn
‎04-05-2022 04:50 AM

In our environment there are 2 HF's which are sending logs from different sources to splunk indexers and external tool Qradar.

So my question is suppose we have searched for any windows events for any specific timestamp, on search head and showing 20 events, so it is true that qradar will also received 20 events in same timestamp.

I tried do the same seems there difference is number, so want to confirm , how it will be.

If you can share any docs which says it will be same or not.

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 06:47 AM

@R_M - It depends on timestamp parsing mechanism on QRadar side.

If you know Splunk has its own timestamp parsing configuration in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition)

When HF forwards the log to Splunk it will forward with the extracted timestamp, vs when it will send to QRadar it will be without a timestamp.

 

The timestamp is not the only thing that will be different in both the tool that could impact number of events:

* line breaking

* line merging

 

If you make sure both have all the configurations logically the same then it should give the same count.

 

I hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...