Getting Data In

How to parse event logs with JSON (Syntax highlighted)?

SecDesh
Path Finder

Good Morning,

I am pulling zeek (Bro) logs into my Splunk to view events. However some of these events will display proper syntax highlights while others will just display raw text only, regardless of their log source. The main difference between the 2 I've noticed is that the events that display proper syntax highlights only have 1 time stamp while other events with multiple time stamps will display as raw text. Multiple searches have led me to create my own local props.conf and transforms.conf files that contains this information at this current time:


transforms.conf:
[TranSON]
SOURCE_KEY = _raw
DEST_KEY = _raw
REGEX = ^([^{]+)({.+})$
FORMAT = $2

props.conf
[my_source_type]
KV_MODE = JSON
TRANSFORMS-JSON = TranSON
SHOULD_LINEMERGE = false
LINE_BREAKER=([\r\n\s]*)(?=\{\s*"ts":)
TIME_FORMAT=%m-%d%-%Y %H:%M:%S.%4n
TIME_PREFIX="timestamp":\s*"
MAX_TIMESTAMP_LOOKAHEAD=25
TRUNCATE = 0
EVENT_BREAKER_ENABLE = true

 

Here is also 2 examples of the events ( I will write them both out in raw text), one that is displaying the syntax highlights and one that doesn't.

Event that shows Syntax highlights:  {"ts":1659441156.916498,"host":"1.1.1.1","port_num":123,"port_proto":"udp","service":[""]}

 

Even that does not show Syntax highlights:

{"ts":1659441445.280528,"id.orig_h":"1.1.1.1","id.orig_p":123,"id.resp_h":"1.1.2.2","id.resp_p":456}
{"ts":1659441456.795169,"id.orig_h":"1.1.3.4","id.orig_p":789,"id.resp_h":"1.1.7.9","id.resp_p":456}

 

Any information would be greatly appreciated, I don't know if I'm missing something or I am approaching this wrong.

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There's no need to remove MAX_TIMESTAMP_LOOKAHEAD.

The LINE_BREAKER in my reply was meant as a replacement for yours.

Did you make the props.conf changes on the indexer(s) and heavy forwarder(s)?  Did you restart them?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Splunk will do syntax highlighting for a single event, but not when multiple events are combined as in the second example.  I believe the problem there lies with the LINE_BREAKER setting.  IME, Splunk doesn't handle lookaheads well and they add no value in this case so try omitting it (the lookahead).

 

LINE_BREAKER = ([\r\n\s]*)(\{\s*"ts":)

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

SecDesh
Path Finder

Good Afternoon,

I attempted your solution in 2 ways based on some slight confusion.

Initially I removed the MAX_TIMESTAMP_LOOKAHEAD=25 line and edited my LINE_BREAKER to match yours which did not work.

Just in case I misread, I then simply commented out the LINE_BREAKER as well in case you meant to omit this as well with still no success. I am still having multiple events combined and display as raw data.

Another bit of information in case it is important is that these 2 files I created are located in:

/opt/splunk/etc/apps/Splunk_TA_zeek/local

I created the local directory and placed the 2 custom files in there.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's no need to remove MAX_TIMESTAMP_LOOKAHEAD.

The LINE_BREAKER in my reply was meant as a replacement for yours.

Did you make the props.conf changes on the indexer(s) and heavy forwarder(s)?  Did you restart them?

---
If this reply helps you, Karma would be appreciated.

SecDesh
Path Finder

This was the closest solution. What I had to do in detail was install the correct TA file, which would be Security Onion instead of Zeek. I also had to properly install the TA on the SearchHead, Indexers, and UF(s). The HF in this case didn't matter because it is simply passing traffic, not forwarding it. I also realized that I had to remove previously old TA files since they were overwriting the newly installed one.

 

Lastly, before I restarted splunk services, ensure that you're running it as the splunk user and that the files you created/installed are owned by the splunk user. I initially had them as root which is why the files were ignored.

SecDesh
Path Finder

Good Morning,

Initially when I put the .conf files into the indexers, it appeared to had (mostly) worked. But it is now back to displaying a large amount of raw text. The .conf files are now on the HF as well but no changes are seen. All systems had been restarted with the new configurations and are running.

 

Could it possibly be a placement issue?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That it worked for a while and then didn't tells me perhaps the source is inconsistent in how the data is formatted or we don't know all the rules it uses for formatting the data.

If data passes through a HF then all props and transforms must be installed on the HF.

As always, changes to props and transforms apply only to data received after the change is made.

---
If this reply helps you, Karma would be appreciated.
0 Karma

SecDesh
Path Finder

Data does pass through the HF onto the indexers however it doesn't do any parsing. I've places the configs on the HF anyways just to be safe but so far there has been no change.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...