Getting Data In

It does not search for Snort json alerts

gruby_bolek
Explorer

I installed Snort 3 JSON Alerts add-on. I made changes in inputs.conf (/opt/splunk/etc/apps/TA_Snort3_json/local) like this:

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

When I search for events like below (sourcetype="snort3:alert:json") there is NOTHING 😞

gruby_bolek_0-1717415131166.png

But Splunk knows in that path there is something and in what number. Like below.

problem do splunk community1.PNG

 

What I can tell more is what Splunk tells me when starting.

Value in stanza [eventtype=snort3:alert:json] in /…/TA_Snort3_json/default/tags.conf, line 1 is not URL encoded: eventtype = snort3:alert:json
Your indexes and inputs configurations are not internally consistenst. For more info, run ‘splunk btool check –debug’

Please, help..

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index.

Your (and everyone else's) search query should specify the index name to search.  This makes the query more efficient and avoids reliance on your default index.  The index name in the query must match the index name in the monitor stanza for Splunk to find the data.

The message about the tags.conf file is a symptom of a different problem and should be easy to correct.  Go to line 1 of the file specified in the message and URL-encode the value.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gruby_bolek
Explorer

Thank you. I have succeeded with the effects like this:

  • searching and displaying json file ( I edited inputs.conf in Snort 3 JSON alert app directory)

gruby_bolek_0-1718623048048.png

gruby_bolek_1-1718623098593.png

 

  • searching and displaying alert full, alert fast file ( I edited inputs.conf for in apps directory)

gruby_bolek_2-1718623525523.png

But it does not search with: sourcetype="snort_alert_full", because in this file it changes sourcetypes "snort_alert_full" and "snort_alert_fast" to "snort".

gruby_bolek_3-1718626712373.png

Thank you for help.

 

 

 

 

 

 

 

 

richgalloway
SplunkTrust
SplunkTrust

The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index.

Your (and everyone else's) search query should specify the index name to search.  This makes the query more efficient and avoids reliance on your default index.  The index name in the query must match the index name in the monitor stanza for Splunk to find the data.

The message about the tags.conf file is a symptom of a different problem and should be easy to correct.  Go to line 1 of the file specified in the message and URL-encode the value.

---
If this reply helps you, Karma would be appreciated.

gruby_bolek
Explorer

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

 

Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"?
Or index in the sourcetype do you mean by this: "snort3:alert:json" ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The index name is specified on another line, similar to how the sourcetype is specified.

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
index = foo

Read The Fine Manual at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Notification Email Migration Announcement

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email Service (SES) ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...