Getting Data In

Why is my sourcetype on the indexer when I import a JSON file?

younes17
Explorer

I am trying to import JSON file on Splunk Enterprise, my sourcetype is below:

CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp

find below is also the Json file format example :

"cve" : {
"CVE_data_meta" : {
"ID" : "CVE-2011-3177"
},
"affects" : {
"vendor" : {
"vendor_data" : [ ]
}
},
"problemtype" : {
"problemtype_data" : [ {
"description" : [ ]
} ]
},
"references" : {
"reference_data" : [ {
"url" : "https://bugzilla.suse.com/show_bug.cgi?id=713661"
}, {
"url" : "https://github.com/yast/yast-core/commit/7fe2e3df308b8b6a901cb2cfd60f398df53219de"
} ]
},
"description" : {
"description_data" : [ {
"lang" : "en",
"value" : "The YaST2 network created files with world readable permissions which could have allowed local users to read sensitive material out of network configuration files, like passwords for wireless networks."
} ]
}
},
"configurations" : {
"CVE_data_version" : "4.0",
"nodes" : [ ]
},
"impact" : { },
"publishedDate" : "2017-09-08T18:29Z",
"lastModifiedDate" : "2017-09-08T18:29Z"
},

Question: The sourcetype is on the indexer, do you have any idea what is wrong?

1 Solution

Sukisen1981
Champion

Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype

View solution in original post

0 Karma

Sukisen1981
Champion

Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype

0 Karma

younes17
Explorer

thank you for your solution

0 Karma

naidusadanala
Communicator

sourcetypes are specified in props.conf file

It resides on indexers and it applies the config to incoming data from forwarders to indexers

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...