Getting Data In

It does not search for Snort json alerts

gruby_bolek
Explorer

I installed Snort 3 JSON Alerts add-on. I made changes in inputs.conf (/opt/splunk/etc/apps/TA_Snort3_json/local) like this:

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

When I search for events like below (sourcetype="snort3:alert:json") there is NOTHING 😞

gruby_bolek_0-1717415131166.png

But Splunk knows in that path there is something and in what number. Like below.

problem do splunk community1.PNG

 

What I can tell more is what Splunk tells me when starting.

Value in stanza [eventtype=snort3:alert:json] in /…/TA_Snort3_json/default/tags.conf, line 1 is not URL encoded: eventtype = snort3:alert:json
Your indexes and inputs configurations are not internally consistenst. For more info, run ‘splunk btool check –debug’

Please, help..

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index.

Your (and everyone else's) search query should specify the index name to search.  This makes the query more efficient and avoids reliance on your default index.  The index name in the query must match the index name in the monitor stanza for Splunk to find the data.

The message about the tags.conf file is a symptom of a different problem and should be easy to correct.  Go to line 1 of the file specified in the message and URL-encode the value.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gruby_bolek
Explorer

Thank you. I have succeeded with the effects like this:

  • searching and displaying json file ( I edited inputs.conf in Snort 3 JSON alert app directory)

gruby_bolek_0-1718623048048.png

gruby_bolek_1-1718623098593.png

 

  • searching and displaying alert full, alert fast file ( I edited inputs.conf for in apps directory)

gruby_bolek_2-1718623525523.png

But it does not search with: sourcetype="snort_alert_full", because in this file it changes sourcetypes "snort_alert_full" and "snort_alert_fast" to "snort".

gruby_bolek_3-1718626712373.png

Thank you for help.

 

 

 

 

 

 

 

 

richgalloway
SplunkTrust
SplunkTrust

The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index.

Your (and everyone else's) search query should specify the index name to search.  This makes the query more efficient and avoids reliance on your default index.  The index name in the query must match the index name in the monitor stanza for Splunk to find the data.

The message about the tags.conf file is a symptom of a different problem and should be easy to correct.  Go to line 1 of the file specified in the message and URL-encode the value.

---
If this reply helps you, Karma would be appreciated.

gruby_bolek
Explorer

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

 

Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"?
Or index in the sourcetype do you mean by this: "snort3:alert:json" ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The index name is specified on another line, similar to how the sourcetype is specified.

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
index = foo

Read The Fine Manual at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...