I installed Snort 3 JSON Alerts add-on. I made changes in inputs.conf (/opt/splunk/etc/apps/TA_Snort3_json/local) like this:
[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
When I search for events like below (sourcetype="snort3:alert:json") there is NOTHING 😞
But Splunk knows in that path there is something and in what number. Like below.
What I can tell more is what Splunk tells me when starting.
Value in stanza [eventtype=snort3:alert:json] in /…/TA_Snort3_json/default/tags.conf, line 1 is not URL encoded: eventtype = snort3:alert:json
Your indexes and inputs configurations are not internally consistenst. For more info, run ‘splunk btool check –debug’
Please, help..
The monitor stanza should specify an index name so Splunk knows where to put the data. Without that, everything goes in the 'main' index.
Your (and everyone else's) search query should specify the index name to search. This makes the query more efficient and avoids reliance on your default index. The index name in the query must match the index name in the monitor stanza for Splunk to find the data.
The message about the tags.conf file is a symptom of a different problem and should be easy to correct. Go to line 1 of the file specified in the message and URL-encode the value.
Thank you. I have succeeded with the effects like this:
But it does not search with: sourcetype="snort_alert_full", because in this file it changes sourcetypes "snort_alert_full" and "snort_alert_fast" to "snort".
Thank you for help.
The monitor stanza should specify an index name so Splunk knows where to put the data. Without that, everything goes in the 'main' index.
Your (and everyone else's) search query should specify the index name to search. This makes the query more efficient and avoids reliance on your default index. The index name in the query must match the index name in the monitor stanza for Splunk to find the data.
The message about the tags.conf file is a symptom of a different problem and should be easy to correct. Go to line 1 of the file specified in the message and URL-encode the value.
[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"?
Or index in the sourcetype do you mean by this: "snort3:alert:json" ?
The index name is specified on another line, similar to how the sourcetype is specified.
[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
index = foo
Read The Fine Manual at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf