Getting Data In

Why is my sourcetype on the indexer when I import a JSON file?

younes17
Explorer

I am trying to import JSON file on Splunk Enterprise, my sourcetype is below:

CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp

find below is also the Json file format example :

"cve" : {
"CVE_data_meta" : {
"ID" : "CVE-2011-3177"
},
"affects" : {
"vendor" : {
"vendor_data" : [ ]
}
},
"problemtype" : {
"problemtype_data" : [ {
"description" : [ ]
} ]
},
"references" : {
"reference_data" : [ {
"url" : "https://bugzilla.suse.com/show_bug.cgi?id=713661"
}, {
"url" : "https://github.com/yast/yast-core/commit/7fe2e3df308b8b6a901cb2cfd60f398df53219de"
} ]
},
"description" : {
"description_data" : [ {
"lang" : "en",
"value" : "The YaST2 network created files with world readable permissions which could have allowed local users to read sensitive material out of network configuration files, like passwords for wireless networks."
} ]
}
},
"configurations" : {
"CVE_data_version" : "4.0",
"nodes" : [ ]
},
"impact" : { },
"publishedDate" : "2017-09-08T18:29Z",
"lastModifiedDate" : "2017-09-08T18:29Z"
},

Question: The sourcetype is on the indexer, do you have any idea what is wrong?

1 Solution

Sukisen1981
Champion

Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype

View solution in original post

0 Karma

Sukisen1981
Champion

Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype

0 Karma

younes17
Explorer

thank you for your solution

0 Karma

naidusadanala
Communicator

sourcetypes are specified in props.conf file

It resides on indexers and it applies the config to incoming data from forwarders to indexers

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...