Getting Data In

Parse JSON file from Emerging Threats rules.

xfaith
New Member

So I am trying to parse the description of the ET Rules which is downloaded as json.gz So it should be a JSON file but it's not taking the default JSON sourcetype, it's showing it as one file.

The beginning of the file starts with a {
Its rule starts like this "2012742":{

And each rule ends like this: :"2012742"},

I have tried to do line breaks, indexed extractions=json,
I thought BREAK_AFTER= },

But I am not good with regex and so it's not working.

Thanks for any assistance.

Tags (3)
0 Karma

xfaith
New Member

Thanks.

Using it to provide details on the the ET rules sets I use on sensors. Trying to tie in rules/usage/and details of the rules together. Hoping that it gives a better view of the total rule sets instead of just loading the newest ones. I want to see what they are, which are disabled, which are enabled, and what they do.

I have something like it being used for Snort Rules, just could not figure out how to use it for the ET Description. Will give this a try soon.

0 Karma

to4kawa
SplunkTrust
SplunkTrust
[ ET_json ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=none
KV_MODE=json
SHOULD_LINEMERGE=false
category=Structured
description=json
disabled=false
pulldown_type=true
LINE_BREAKER=(({|,)\"\d+\":){
SEDCMD-trim = s/}}/}/g
TRUNCATE=0
DATETIME_CONFIG=CURRENT

What do you use this data for? Please tell me.

creation date is better for _time ,I think.
but you should modify indexes.conf

I don't know much about it, so I decided to stay in the present for now

https://conf.splunk.com/files/2017/slides/splunk-data-life-cycle-determining-when-and-where-to-roll-...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!