Getting Data In

I cant get Splunk to read Boss Of SOC v1 Data Set

dablab
Explorer

Hey! So Im using an EC2 splunk ami and have all the correct apps loaded but cannot for the life of me get the boss v1 data in my environment. 

I've put it into $SPLUNK_HOME/etc/apps (as mentioned in github) and it did not work, it simply does not pick up that this is a data set and instead is comfortably in my apps. 

Loading it in other ways means it doesnt come through correctly.  Is this a timestamp issue?

 

Any help would be so appreciated

 

 

Labels (2)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

+1 on @richgalloway 's doubt

You are supposed to download the archive and unpack it to $SPLUNK_HOME/etc/apps

Restart Splunk

That's it. No ingesting anything, no defining inputs, no nothing. The files will _not_ be moved anywhere - the app contains pre-indexed buckets along with the indexes.conf file pointing to this particular directory so that Splunk knows where to find the data. So after the restart Splunk should notice that it has new index(es?) with data files placed in your app's directory (that's kinda unusual and you'd normally not do that for normally ingested index data but that's a dataset prepared to be easily distributed). And that's all there is to it.

You should _not_ be ingesting it in any way which you somehow did since you're showing us the contents of the files pulled into some index.

View solution in original post

dablab
Explorer

I want to say that it was a permissions issue!!!  Thanks all!

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Was just about to write that if you unpacked it with sudo, you could get mismatched ownership and permission issues. But apparently you got it on your own.

Have fun with your searches 🙂

0 Karma

PickleRick
SplunkTrust
SplunkTrust

+1 on @richgalloway 's doubt

You are supposed to download the archive and unpack it to $SPLUNK_HOME/etc/apps

Restart Splunk

That's it. No ingesting anything, no defining inputs, no nothing. The files will _not_ be moved anywhere - the app contains pre-indexed buckets along with the indexes.conf file pointing to this particular directory so that Splunk knows where to find the data. So after the restart Splunk should notice that it has new index(es?) with data files placed in your app's directory (that's kinda unusual and you'd normally not do that for normally ingested index data but that's a dataset prepared to be easily distributed). And that's all there is to it.

You should _not_ be ingesting it in any way which you somehow did since you're showing us the contents of the files pulled into some index.

dablab
Explorer

Thanks!  

So when I do 

cd /opt/splunk/etc/apps/

 and then:  sudo tar -xzf botsv1_data_set.tgz

It will unload the data in the apps area, but then when I restart and go to search it there is nothing there? 

 

I have all the apps download etc.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Something's not right in that screenshot.  The contents of indexes.conf should not be indexed.  I suspect some instructions are being misinterpreted.

Please tell us more details about how you are trying to load the data.  Provide the exact steps followed or a link to them.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...