I am trying to import JSON file on Splunk Enterprise, my sourcetype is below:
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIMESTAMP_FIELDS=timestamp
find below is also the Json file format example :
"cve" : {
"CVE_data_meta" : {
"ID" : "CVE-2011-3177"
},
"affects" : {
"vendor" : {
"vendor_data" : [ ]
}
},
"problemtype" : {
"problemtype_data" : [ {
"description" : [ ]
} ]
},
"references" : {
"reference_data" : [ {
"url" : "https://bugzilla.suse.com/show_bug.cgi?id=713661"
}, {
"url" : "https://github.com/yast/yast-core/commit/7fe2e3df308b8b6a901cb2cfd60f398df53219de"
} ]
},
"description" : {
"description_data" : [ {
"lang" : "en",
"value" : "The YaST2 network created files with world readable permissions which could have allowed local users to read sensitive material out of network configuration files, like passwords for wireless networks."
} ]
}
},
"configurations" : {
"CVE_data_version" : "4.0",
"nodes" : [ ]
},
"impact" : { },
"publishedDate" : "2017-09-08T18:29Z",
"lastModifiedDate" : "2017-09-08T18:29Z"
},
Question: The sourcetype is on the indexer, do you have any idea what is wrong?
Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype
Looks like you are trying to import data from cvedetails or some such site,why not use the REST API app and connect to the JSON url provided by the cve website? The REST API app has options to set sourcetype
thank you for your solution
sourcetypes are specified in props.conf file
It resides on indexers and it applies the config to incoming data from forwarders to indexers