- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is my sourcetype on the indexer when I import ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to import JSON file on Splunk Enterprise, my sourcetype is below:
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
find below is also the Json file format example :
"cve" : {
"CVE_data_meta" : {
"ID" : "CVE-2011-3177"
},
"affects" : {
"vendor" : {
"vendor_data" : [ ]
}
},
"problemtype" : {
"problemtype_data" : [ {
"description" : [ ]
} ]
},
"references" : {
"reference_data" : [ {
"url" : "https://bugzilla.suse.com/show_bug.cgi?id=713661"
}, {
"url" : "https://github.com/yast/yast-core/commit/7fe2e3df308b8b6a901cb2cfd60f398df53219de"
} ]
},
"description" : {
"description_data" : [ {
"lang" : "en",
"value" : "The YaST2 network created files with world readable permissions which could have allowed local users to read sensitive material out of network configuration files, like passwords for wireless networks."
} ]
}
},
"configurations" : {
"CVE_data_version" : "4.0",
"nodes" : [ ]
},
"impact" : { },
"publishedDate" : "2017-09-08T18:29Z",
"lastModifiedDate" : "2017-09-08T18:29Z"
},
Question: The sourcetype is on the indexer, do you have any idea what is wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for your solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetypes are specified in props.conf file
It resides on indexers and it applies the config to incoming data from forwarders to indexers
Introducing the 2024 Splunk MVPs!
Thanks for the Memories! Splunk University, .conf24, and Community Connections
.conf24 | Day 0
