Solved: I cant get Splunk to read Boss Of SOC v1 Data Set

dablab · ‎11-18-2023

Hey! So Im using an EC2 splunk ami and have all the correct apps loaded but cannot for the life of me get the boss v1 data in my environment.

I've put it into $SPLUNK_HOME/etc/apps (as mentioned in github) and it did not work, it simply does not pick up that this is a data set and instead is comfortably in my apps.

Loading it in other ways means it doesnt come through correctly. Is this a timestamp issue?

Any help would be so appreciated

PickleRick · ‎11-18-2023

+1 on @richgalloway 's doubt

You are supposed to download the archive and unpack it to $SPLUNK_HOME/etc/apps

Restart Splunk

That's it. No ingesting anything, no defining inputs, no nothing. The files will _not_ be moved anywhere - the app contains pre-indexed buckets along with the indexes.conf file pointing to this particular directory so that Splunk knows where to find the data. So after the restart Splunk should notice that it has new index(es?) with data files placed in your app's directory (that's kinda unusual and you'd normally not do that for normally ingested index data but that's a dataset prepared to be easily distributed). And that's all there is to it.

You should _not_ be ingesting it in any way which you somehow did since you're showing us the contents of the files pulled into some index.

View solution in original post

dablab · ‎11-18-2023

I want to say that it was a permissions issue!!! Thanks all!

PickleRick · ‎11-18-2023

Was just about to write that if you unpacked it with sudo, you could get mismatched ownership and permission issues. But apparently you got it on your own.

Have fun with your searches 🙂

PickleRick · ‎11-18-2023

+1 on @richgalloway 's doubt

You are supposed to download the archive and unpack it to $SPLUNK_HOME/etc/apps

Restart Splunk

That's it. No ingesting anything, no defining inputs, no nothing. The files will _not_ be moved anywhere - the app contains pre-indexed buckets along with the indexes.conf file pointing to this particular directory so that Splunk knows where to find the data. So after the restart Splunk should notice that it has new index(es?) with data files placed in your app's directory (that's kinda unusual and you'd normally not do that for normally ingested index data but that's a dataset prepared to be easily distributed). And that's all there is to it.

You should _not_ be ingesting it in any way which you somehow did since you're showing us the contents of the files pulled into some index.

dablab · ‎11-18-2023

Thanks!

So when I do

cd /opt/splunk/etc/apps/

and then: sudo tar -xzf botsv1_data_set.tgz

It will unload the data in the apps area, but then when I restart and go to search it there is nothing there?

I have all the apps download etc.

richgalloway · ‎11-18-2023

Something's not right in that screenshot. The contents of indexes.conf should not be indexed. I suspect some instructions are being misinterpreted.

Please tell us more details about how you are trying to load the data. Provide the exact steps followed or a link to them.

---
If this reply helps you, Karma would be appreciated.

I cant get Splunk to read Boss Of SOC v1 Data Set

configuration

troubleshooting

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio