Getting Data In

LINE_BREAKER settings works when adding input manually but not through props.conf

abhijittikekar
Builder

Hi,

I am trying to add Snort data into Splunk by monitoring barnyard2.alert file using Universal Forwarders.

 

[monitor:///var/log/barnyard2/barnyard2.alert]
sourcetype=snort_unified2
index=snort

 

As explained here https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-line-breaking-a-single-IDS-Alert-event... , I added same settings to props.conf(Indexer and SH) but Splunk still ends up breaking each line as a separate event, as shown below:Snort_1.png

props.conf

 

[snort_unified2]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\[\*\*\]
TIME_PREFIX = ^([^\r\n]+[\r\n]+){2}
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %m/%d-%H:%M:%S.%6N
category = Network & Security

 

But when I try these settings by manually adding same input it works just fine.

snort_manual.png

Any ideas on what could be going wrong with props.conf?

Thanks,

~Abhi

 

Labels (1)

kbehl
Explorer

This is an index time setting and therefore not required at universal forwarder.

 

Here is what you can try:

SHOULD_LINEMERGE= true

Along with one of:
BREAK_ONLY_BEFORE,
BREAK_ONLY_AFTER



0 Karma

samcyber20
Explorer

Hi @abhijittikekar ,

check props.conf on your UF or try using btool command.

Please let  me know if it helps or you found solution already.

Thanks

Sam

abhijittikekar
Builder

Hi @samcyber20 

App that we pushed on the endpoints to collect these logs does not have any props.conf. Only inputs.conf with one stanza as I mentioned above.

Does it need a props as well with any of the entries that I added on the Indexer side?

Thanks,

~ Abhi

0 Karma

samcyber20
Explorer

Hi @abhijittikekar,

use btool command mentioned by @soutamo  .

It will give you much more idea. 

 

Thanks

Sam 

0 Karma

soutamo
SplunkTrust
SplunkTrust
Have you any HF between UF and indexer? If yes the you must put props.conf to the first HF counting from UF. If not then, please try what the next command said
splunk btool props list -debug snort_unified2
r. Ismo

richgalloway
SplunkTrust
SplunkTrust

Did you restart the indexers after changing the props.conf file?

---
If this reply helps you, an upvote would be appreciated.

abhijittikekar
Builder

Hi @richgalloway ,

Yes. Both Indexer and the Search Head were restarted after making the props.conf change.

Thanks,

~ Abhi


Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on