Solved: Re: windows_snare_syslog sourcetype but no field e...

Runals · ‎01-06-2013

Perhaps I was over thinking this when I set a sourcetype to windows_snare_syslog - are there no field extractions build "out of the box" so to speak? We are running v5

Ayn · ‎01-07-2013

This app might be of interest to you: http://splunk-base.splunk.com/apps/30824/expanded-snare-syslog

View solution in original post

Ayn · ‎01-07-2013

This app might be of interest to you: http://splunk-base.splunk.com/apps/30824/expanded-snare-syslog

Runals · ‎01-07-2013

Thanks Ayn. I had seen that but the word "expanded" in the description implied to me that there might be some additional out of the box field extractions for snare that I wasn't seeing for whatever reason. Guess not; will check it out.

Runals · ‎01-07-2013

I did just look and am seeing that. The disappointing thing is the syslog-extractions in the transforms.conf is just for process and pid. Had hoped for more value from this sourcetype w/o me having to develop it =).

martin_mueller · ‎01-07-2013

Over here there is a field extraction windows_snare_syslog : REPORT-syslog that maps to the field transformation syslog-extractions.

Are you not seeing that, or is that not doing what you expected?

windows_snare_syslog sourcetype but no field extractions?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?