Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Making a JSON string for SimData's Event Templ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
colbym1
Engager
10-19-2018
05:26 AM
I am trying to make events with SimData that use the json format. The problem comes when I need to make the "template" for the event in SimData because of all of the double quotes needed for json.
When I try to escape them, SimData never gets rid of them:
Code:
event WebRequest {
required: [flow_id, event_type, src_ip, src_port, dest_ip, dest_port, proto];
//template: "{{_time}} hello world";
template: "{\"timestamp\": {{_time}}, \"flow_id\": {{flow_id}}, \"event_type\": \"{{event_type}}\", \"src_ip\": \"{{src_ip}}\", \"src_port\": \"{{src_port}}\", \"dest_ip\": \"{{dest_ip}}\", \"dest_port\": \"{{dest_port}}\", \"proto\": \"{{proto}}\"}";
source: "simdata";
sourcetype: "suricata";
}
What shows in Splunk:
{\"timestamp\": {{_time}}, \"flow_id\": {{flow_id}}, \"event_type\": \"{{event_type}}\", \"src_ip\": \"{{src_ip}}\", \"src_port\": \"{{src_port}}\", \"dest_ip\": \"{{dest_ip}}\", \"dest_port\": \"{{dest_port}}\", \"proto\": \"{{proto}}\"}
I'm sure that you can see that having \ everywhere is a problem. I honestly think this may be an error on the side of SimData not sanitizing data before sending it off to the HEC because when you print the same event to the console with the 'Text' transport then there are no \" because when printing Java makes sure to take care of that.
Does anyone have a current workaround for this, or am I just crazy and can't figure out how to do this correctly?
Thanks for your time.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
colbym1
Engager
11-06-2018
09:51 AM
So, I have been working with the Splunk team on this. The docs should reflect this now, but what I learned is that if you are using json format then just don't use a template. SimData will automatically put the data in json format just based on the required values you provide...
event TicketPlaced {
required: [item, place, time];
source: "https://foo.com/";
sourcetype: "foo";
}
will give you:
{
"item": item,
"place": place,
"time": time
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
colbym1
Engager
11-06-2018
09:51 AM
So, I have been working with the Splunk team on this. The docs should reflect this now, but what I learned is that if you are using json format then just don't use a template. SimData will automatically put the data in json format just based on the required values you provide...
event TicketPlaced {
required: [item, place, time];
source: "https://foo.com/";
sourcetype: "foo";
}
will give you:
{
"item": item,
"place": place,
"time": time
}
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
