Getting Data In

Parse JSON file from Emerging Threats rules.

xfaith
New Member

So I am trying to parse the description of the ET Rules which is downloaded as json.gz So it should be a JSON file but it's not taking the default JSON sourcetype, it's showing it as one file.

The beginning of the file starts with a {
Its rule starts like this "2012742":{

And each rule ends like this: :"2012742"},

I have tried to do line breaks, indexed extractions=json,
I thought BREAK_AFTER= },

But I am not good with regex and so it's not working.

Thanks for any assistance.

Tags (3)
0 Karma

xfaith
New Member

Thanks.

Using it to provide details on the the ET rules sets I use on sensors. Trying to tie in rules/usage/and details of the rules together. Hoping that it gives a better view of the total rule sets instead of just loading the newest ones. I want to see what they are, which are disabled, which are enabled, and what they do.

I have something like it being used for Snort Rules, just could not figure out how to use it for the ET Description. Will give this a try soon.

0 Karma

to4kawa
Ultra Champion
[ ET_json ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=none
KV_MODE=json
SHOULD_LINEMERGE=false
category=Structured
description=json
disabled=false
pulldown_type=true
LINE_BREAKER=(({|,)\"\d+\":){
SEDCMD-trim = s/}}/}/g
TRUNCATE=0
DATETIME_CONFIG=CURRENT

What do you use this data for? Please tell me.

creation date is better for _time ,I think.
but you should modify indexes.conf

I don't know much about it, so I decided to stay in the present for now

https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-...

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...