Getting Data In

It does not search for Snort json alerts

gruby_bolek
Explorer

I installed Snort 3 JSON Alerts add-on. I made changes in inputs.conf (/opt/splunk/etc/apps/TA_Snort3_json/local) like this:

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

When I search for events like below (sourcetype="snort3:alert:json") there is NOTHING 😞

gruby_bolek_0-1717415131166.png

But Splunk knows in that path there is something and in what number. Like below.

problem do splunk community1.PNG

 

What I can tell more is what Splunk tells me when starting.

Value in stanza [eventtype=snort3:alert:json] in /…/TA_Snort3_json/default/tags.conf, line 1 is not URL encoded: eventtype = snort3:alert:json
Your indexes and inputs configurations are not internally consistenst. For more info, run ‘splunk btool check –debug’

Please, help..

 

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index.

Your (and everyone else's) search query should specify the index name to search.  This makes the query more efficient and avoids reliance on your default index.  The index name in the query must match the index name in the monitor stanza for Splunk to find the data.

The message about the tags.conf file is a symptom of a different problem and should be easy to correct.  Go to line 1 of the file specified in the message and URL-encode the value.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gruby_bolek
Explorer

Thank you. I have succeeded with the effects like this:

  • searching and displaying json file ( I edited inputs.conf in Snort 3 JSON alert app directory)

gruby_bolek_0-1718623048048.png

gruby_bolek_1-1718623098593.png

 

  • searching and displaying alert full, alert fast file ( I edited inputs.conf for in apps directory)

gruby_bolek_2-1718623525523.png

But it does not search with: sourcetype="snort_alert_full", because in this file it changes sourcetypes "snort_alert_full" and "snort_alert_fast" to "snort".

gruby_bolek_3-1718626712373.png

Thank you for help.

 

 

 

 

 

 

 

 

richgalloway
SplunkTrust
SplunkTrust

The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index.

Your (and everyone else's) search query should specify the index name to search.  This makes the query more efficient and avoids reliance on your default index.  The index name in the query must match the index name in the monitor stanza for Splunk to find the data.

The message about the tags.conf file is a symptom of a different problem and should be easy to correct.  Go to line 1 of the file specified in the message and URL-encode the value.

---
If this reply helps you, Karma would be appreciated.

gruby_bolek
Explorer

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json

 

Index in monitor stanza do you mean by the path, exactly "/var/log.snort/*alert_json.txt"?
Or index in the sourcetype do you mean by this: "snort3:alert:json" ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The index name is specified on another line, similar to how the sourcetype is specified.

[monitor:///var/log/snort/*alert_json.txt*]
sourcetype = snort3:alert:json
index = foo

Read The Fine Manual at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...