Splunk Cloud Platform

Unable to use some props.conf settings in Splunk Cloud

SuhDude
New Member

Hello team,

For context this is a splunk cloud environment with an es and an ad hoc search head.

Today I tried to change an http event collector input from sourcetype _json to wiz.

The wiz events are json events with a date midway through the event.

Sample event (heavily obfuscated as it is company data):

{
  "event": {
    "trigger": {
      "source": "CLOUD_EVENTS",
      "type": "Created",
      "ruleId": "<rule_id>",
      "ruleName": "WIZ-Splunk Integration"
    },
    "event": {
      "name": "<eventname>",
      "eventURL": "<url>",
      "cloudPlatform": "AWS",
      "timestamp": "2024-06-12T03:01:18Z",
      "source": "<amazon source>",
      "category": "List",
      "path": null,
      "actor": {
        "name": "<account name>",
        "type": "SERVICE_ACCOUNT",
        "IP": "<FQDN>",
        "actingAs": {
          "name": "<role_name>",
          "providerUniqueId": "<UniqID",
          "type": "SERVICE_ACCOUNT",
           "rawlog": {"addendum":null,"additionalEventData":null,"apiVersion":null,"awsRegion":"us-east-1","errorCode":null,"errorMessage":null,"eventCategory":"<event_category>","eventID":"<event_id>","eventName":"<event_name>","eventSource":"<amazon_link>","eventTime":"2024-06-12T03:01:18Z","eventType":"<type of event>","eventVersion":"<version number>","managementEvent":true,"readOnly":true,"recipientAccountId":"<account ID>","requestID":"<request_id>","requestParameters":{"DescribeVpcEndpointsRequest":{"VpcEndpointId":{"content":"<VPCENDPOINTID>","tag":1}}},"resources":null,"responseElements":null,"serviceEventDetails":null,"sessionCredentialFromConsole":null,"sharedEventID":null,"sourceIPAddress":"<source ip>","tlsDetails":null,"userAgent":"<user agent>","userIdentity":{"accountId":"<account ID>","arn":"<ARN>","invokedBy":"<USER>","principalId":"<principal ID>","sessionContext":{"attributes":{"creationDate":"2024-06-12T03:01:17Z","mfaAuthenticated":"false"},"sessionIssuer":{"accountId":"<account ID>","arn":"<ARN>","principalId":"<principal ID>","type":"Role","userName":"<role name>"}},"type":"AssumedRole"},"vpcEndpointId":null}
        }
      },
      "subjectResource": {
        "name": "",
        "type": "",
        "providerUniqueId": "",
        "externalId": "<external ID>",
        "region": "us-east-1",
        "kubernetesCluster": "",
        "kubernetesNamespace": "",
        "account": {"externalId":"<external ID>","id":"<ID>"}
      },
      "matchedRules": " ruleId: ; ruleName: <RULE NAME> "
    }
  }
}

To accomplish the sourcetype name change I cloned the current configuration for _json under app search which was as follows:

CHARSET = UTF-8

DATETIME_CONFIG=

INDEXED_EXTRACTIONS=json

KV_MODE=none

SHOULD_LINEMERGE=true

category=structured

disabled=false

pulldown_type=true

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

 

This cloned the config successfully but notably put it under app 000-self-service rather than search.

I then set the input to the new sourcetype wiz.

 

Following this change some events began breaking incorrectly at the first timestamp in the log, a behavior not previously observed on sourcetype _json which had the same config.

 

Sample broken event:

Event1:

{

  "event": {

    "trigger": {

      "source": "CLOUD_EVENTS",

      "type": "Created",

      "ruleId": "<rule_id>",

      "ruleName": "WIZ-Splunk Integration"

    },

    "event": {

      "name": "<eventname>",

      "eventURL": "<url>",

      "cloudPlatform": "AWS",

 

 

Event 2:

      "timestamp": "2024-06-12T03:01:18Z",

      "source": "<amazon source>",

      "category": "List",

      "path": null,

      "actor": {

        "name": "<account name>",

        "type": "SERVICE_ACCOUNT",

        "IP": "<FQDN>",

        "actingAs": {

          "name": "<role_name>",

          "providerUniqueId": "<UniqID",

          "type": "SERVICE_ACCOUNT",

           "rawlog": {"addendum":null,"additionalEventData":null,"apiVersion":null,"awsRegion":"us-east-1","errorCode":null,"errorMessage":null,"eventCategory":"<event_category>","eventID":"<event_id>","eventName":"<event_name>","eventSource":"<amazon_link>","eventTime":"2024-06-12T03:01:18Z","eventType":"<type of event>","eventVersion":"<version number>","managementEvent":true,"readOnly":true,"recipientAccountId":"<account ID>","requestID":"<request_id>","requestParameters":{"DescribeVpcEndpointsRequest":{"VpcEndpointId":{"content":"<VPCENDPOINTID>","tag":1}}},"resources":null,"responseElements":null,"serviceEventDetails":null,"sessionCredentialFromConsole":null,"sharedEventID":null,"sourceIPAddress":"<source ip>","tlsDetails":null,"userAgent":"<user agent>","userIdentity":{"accountId":"<account ID>","arn":"<ARN>","invokedBy":"<USER>","principalId":"<principal ID>","sessionContext":{"attributes":{"creationDate":"2024-06-12T03:01:17Z","mfaAuthenticated":"false"},"sessionIssuer":{"accountId":"<account ID>","arn":"<ARN>","principalId":"<principal ID>","type":"Role","userName":"<role name>"}},"type":"AssumedRole"},"vpcEndpointId":null}

        }

      },

      "subjectResource": {

        "name": "",

        "type": "",

        "providerUniqueId": "",

        "externalId": "<external ID>",

        "region": "us-east-1",

        "kubernetesCluster": "",

        "kubernetesNamespace": "",

        "account": {"externalId":"<external ID>","id":"<ID>"}

      },

      "matchedRules": " ruleId: ; ruleName: <RULE NAME> "

    }

  }

}

 

This was strange behavior but likely was caused by the default setting of BREAK_ONLY_BEFORE_DATE=true

 

To remedy this I edited the sourcetype config for wiz by adding the following:

BREAK_ONLY_BEFORE ={[\r\n]\s+\"event\"\: BREAK_ONLY_BEFORE_DATE = false

Note I left the value below as True

SHOULD_LINEMERGE = true

 

However after clicking save the following changes were made:

BREAK_ONLY_BEFORE ={[\r\n]\s+\"event\"\:

LINE_BREAKER = {[\r\n]\s+\"event

SHOULD_LINEMERGE = false

 

The configuration for BREAK_ONLY_BEFORE_DATE was unable to be saved and SHOULD_LINEMERGE was unable to be set to true while BREAK_ONLY_BEFORE was present.

 

I tried performing this change many times over hours and tried creating unrelated sourcetypes with BREAK_ONLY_BEFORE_DATE but was unable to set this setting on splunk cloud. 

In addition, any attempt to set SHOULD_LINEMERGE to true while BREAK_ONLY_BEFORE was present resulted in SHOULD_LINEMERGE being set to false and LINE_BREAKER being set to the same value as BREAK_ONLY_BEFORE

Other settings were able to be set as expected. 

A final note for information is timestamp was set to auto.

Are these configurations invalid in general or just unable to be set in settings > sourcetypes > advanced in splunk cloud?

As an additional note no settings applied were able to set the event breaking to earlier behavior and I was forced to revert the change on the input back to sourcetype _json where breaking worked as expected. 

Would appreciate any answers and happy to provide more info if needed

Apologies for the long read.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...