Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

I am using third party forwarding from Splunk to QRadar but the events are not being displayed correctly. How can I correct this?

DerekB
Splunk Employee
Splunk Employee
‎09-25-2012 03:18 PM

My Splunk setup is a UF sending to an indexer. That indexer is then forwarding everything to QRadar. When I look at the events in QRadar, they are mangled. What I see is each key value pair is its' own event instead of all of the pairs being part of a single event.

Example:

Real event looks like:

09-Sep-2012 14:48:29 AgentDevice=WindowsLog AgentLogFile=Security

But it's getting broke into separate events like this:

Event 1-
09-Sep-2012 14:48:29

Event 2-
AgentDevice=WindowsLogs

Event 3-
AgentLogfile=Security

Why?

Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎09-25-2012 03:23 PM

We've seen this before, and what we noticed was that when we looked at the single line event data the instance was generating, it was all showing up in QRadar normally. The problem turned out to be that QRadar doesn't understand how to deal with multiline events, so each line is handled as an individual event. We confirmed the behavior with the vendor, presently it is a limitation of the product.

View solution in original post

Reply
Solved! Jump to solution

rajanala
Path Finder
‎04-04-2016 09:06 PM

DerekB,
Can you share Splunk configuration details for Forwarding all data from Splunk Indexer to QRadar ?
Will, having just the outputs.conf work?
outputs.conf
[tcpout]
defaultGroup = SIEM_12345
indexAndForward = true
disabled = false

[tcpout:SIEM_12345]
server = SIEM_IP:12345
compressed = true
sendCookedData = true

0 Karma
Reply
Solved! Jump to solution

jmann2118
Explorer
‎10-30-2014 07:47 AM

You can upgrade to a newer version of Qradar which adds Splunk as a source and fixes this issue

Reply
Solved! Jump to solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎02-16-2016 12:24 PM

Here is a document regarding the Qradar configuration from IBM's site:

http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.dsm.doc/t_DSM_guide_Splunk_logsou...

Jacob
Sr. Technical Support Engineer
0 Karma
Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎09-25-2012 03:30 PM

Yes, but it's good to have documented.

Reply
Solved! Jump to solution

Ayn
Legend
‎09-25-2012 03:25 PM

Isn't this a QRadar issue rather than a Splunk issue?

0 Karma
Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎09-25-2012 03:23 PM

We've seen this before, and what we noticed was that when we looked at the single line event data the instance was generating, it was all showing up in QRadar normally. The problem turned out to be that QRadar doesn't understand how to deal with multiline events, so each line is handled as an individual event. We confirmed the behavior with the vendor, presently it is a limitation of the product.

Reply
Solved! Jump to solution

buttona
Engager
‎10-30-2014 06:32 AM

Is this something that has been corrected since 2012? We are looking to do the same thing here with SystemOut and http access logs from Splunk indexer to QRadar.

Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...