Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

LINE_BREAKER settings works when adding input manually but not through props.conf

att35
Builder
‎10-22-2020 09:38 AM

Hi,

I am trying to add Snort data into Splunk by monitoring barnyard2.alert file using Universal Forwarders.

 

[monitor:///var/log/barnyard2/barnyard2.alert]
sourcetype=snort_unified2
index=snort

 

As explained here https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-line-breaking-a-single-IDS-Alert-event... , I added same settings to props.conf(Indexer and SH) but Splunk still ends up breaking each line as a separate event, as shown below:Snort_1.png

props.conf

 

[snort_unified2]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)\[\*\*\]
TIME_PREFIX = ^([^\r\n]+[\r\n]+){2}
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %m/%d-%H:%M:%S.%6N
category = Network & Security

 

But when I try these settings by manually adding same input it works just fine.

snort_manual.png

Any ideas on what could be going wrong with props.conf?

Thanks,

~Abhi

 

Labels (1)
Labels
Reply

kbehl
Explorer
‎10-25-2020 12:33 PM

This is an index time setting and therefore not required at universal forwarder.

 

Here is what you can try:

SHOULD_LINEMERGE= true

Along with one of:
BREAK_ONLY_BEFORE,
BREAK_ONLY_AFTER



0 Karma
Reply

samcyber20
Explorer
‎10-22-2020 06:52 PM

Hi @att35 ,

check props.conf on your UF or try using btool command.

Please let  me know if it helps or you found solution already.

Thanks

Sam

Reply

att35
Builder
‎10-23-2020 05:21 AM

Hi @samcyber20 

App that we pushed on the endpoints to collect these logs does not have any props.conf. Only inputs.conf with one stanza as I mentioned above.

Does it need a props as well with any of the entries that I added on the Indexer side?

Thanks,

~ Abhi

0 Karma
Reply

samcyber20
Explorer
‎10-25-2020 04:20 PM

Hi @att35,

use btool command mentioned by @isoutamo  .

It will give you much more idea. 

 

Thanks

Sam 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-25-2020 01:22 PM
Have you any HF between UF and indexer? If yes the you must put props.conf to the first HF counting from UF. If not then, please try what the next command said
splunk btool props list -debug snort_unified2
r. Ismo
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 12:21 PM

Did you restart the indexers after changing the props.conf file?

---
If this reply helps you, Karma would be appreciated.
Reply

att35
Builder
‎10-22-2020 01:03 PM

Hi @richgalloway ,

Yes. Both Indexer and the Search Head were restarted after making the props.conf change.

Thanks,

~ Abhi

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...