Splunk Cloud Platform

Unable to use some props.conf settings in Splunk Cloud

SuhDude
New Member

Hello team,

For context this is a splunk cloud environment with an es and an ad hoc search head.

Today I tried to change an http event collector input from sourcetype _json to wiz.

The wiz events are json events with a date midway through the event.

Sample event (heavily obfuscated as it is company data):

{
  "event": {
    "trigger": {
      "source": "CLOUD_EVENTS",
      "type": "Created",
      "ruleId": "<rule_id>",
      "ruleName": "WIZ-Splunk Integration"
    },
    "event": {
      "name": "<eventname>",
      "eventURL": "<url>",
      "cloudPlatform": "AWS",
      "timestamp": "2024-06-12T03:01:18Z",
      "source": "<amazon source>",
      "category": "List",
      "path": null,
      "actor": {
        "name": "<account name>",
        "type": "SERVICE_ACCOUNT",
        "IP": "<FQDN>",
        "actingAs": {
          "name": "<role_name>",
          "providerUniqueId": "<UniqID",
          "type": "SERVICE_ACCOUNT",
           "rawlog": {"addendum":null,"additionalEventData":null,"apiVersion":null,"awsRegion":"us-east-1","errorCode":null,"errorMessage":null,"eventCategory":"<event_category>","eventID":"<event_id>","eventName":"<event_name>","eventSource":"<amazon_link>","eventTime":"2024-06-12T03:01:18Z","eventType":"<type of event>","eventVersion":"<version number>","managementEvent":true,"readOnly":true,"recipientAccountId":"<account ID>","requestID":"<request_id>","requestParameters":{"DescribeVpcEndpointsRequest":{"VpcEndpointId":{"content":"<VPCENDPOINTID>","tag":1}}},"resources":null,"responseElements":null,"serviceEventDetails":null,"sessionCredentialFromConsole":null,"sharedEventID":null,"sourceIPAddress":"<source ip>","tlsDetails":null,"userAgent":"<user agent>","userIdentity":{"accountId":"<account ID>","arn":"<ARN>","invokedBy":"<USER>","principalId":"<principal ID>","sessionContext":{"attributes":{"creationDate":"2024-06-12T03:01:17Z","mfaAuthenticated":"false"},"sessionIssuer":{"accountId":"<account ID>","arn":"<ARN>","principalId":"<principal ID>","type":"Role","userName":"<role name>"}},"type":"AssumedRole"},"vpcEndpointId":null}
        }
      },
      "subjectResource": {
        "name": "",
        "type": "",
        "providerUniqueId": "",
        "externalId": "<external ID>",
        "region": "us-east-1",
        "kubernetesCluster": "",
        "kubernetesNamespace": "",
        "account": {"externalId":"<external ID>","id":"<ID>"}
      },
      "matchedRules": " ruleId: ; ruleName: <RULE NAME> "
    }
  }
}

To accomplish the sourcetype name change I cloned the current configuration for _json under app search which was as follows:

CHARSET = UTF-8

DATETIME_CONFIG=

INDEXED_EXTRACTIONS=json

KV_MODE=none

SHOULD_LINEMERGE=true

category=structured

disabled=false

pulldown_type=true

LINE_BREAKER=([\r\n]+)

NO_BINARY_CHECK=true

 

This cloned the config successfully but notably put it under app 000-self-service rather than search.

I then set the input to the new sourcetype wiz.

 

Following this change some events began breaking incorrectly at the first timestamp in the log, a behavior not previously observed on sourcetype _json which had the same config.

 

Sample broken event:

Event1:

{

  "event": {

    "trigger": {

      "source": "CLOUD_EVENTS",

      "type": "Created",

      "ruleId": "<rule_id>",

      "ruleName": "WIZ-Splunk Integration"

    },

    "event": {

      "name": "<eventname>",

      "eventURL": "<url>",

      "cloudPlatform": "AWS",

 

 

Event 2:

      "timestamp": "2024-06-12T03:01:18Z",

      "source": "<amazon source>",

      "category": "List",

      "path": null,

      "actor": {

        "name": "<account name>",

        "type": "SERVICE_ACCOUNT",

        "IP": "<FQDN>",

        "actingAs": {

          "name": "<role_name>",

          "providerUniqueId": "<UniqID",

          "type": "SERVICE_ACCOUNT",

           "rawlog": {"addendum":null,"additionalEventData":null,"apiVersion":null,"awsRegion":"us-east-1","errorCode":null,"errorMessage":null,"eventCategory":"<event_category>","eventID":"<event_id>","eventName":"<event_name>","eventSource":"<amazon_link>","eventTime":"2024-06-12T03:01:18Z","eventType":"<type of event>","eventVersion":"<version number>","managementEvent":true,"readOnly":true,"recipientAccountId":"<account ID>","requestID":"<request_id>","requestParameters":{"DescribeVpcEndpointsRequest":{"VpcEndpointId":{"content":"<VPCENDPOINTID>","tag":1}}},"resources":null,"responseElements":null,"serviceEventDetails":null,"sessionCredentialFromConsole":null,"sharedEventID":null,"sourceIPAddress":"<source ip>","tlsDetails":null,"userAgent":"<user agent>","userIdentity":{"accountId":"<account ID>","arn":"<ARN>","invokedBy":"<USER>","principalId":"<principal ID>","sessionContext":{"attributes":{"creationDate":"2024-06-12T03:01:17Z","mfaAuthenticated":"false"},"sessionIssuer":{"accountId":"<account ID>","arn":"<ARN>","principalId":"<principal ID>","type":"Role","userName":"<role name>"}},"type":"AssumedRole"},"vpcEndpointId":null}

        }

      },

      "subjectResource": {

        "name": "",

        "type": "",

        "providerUniqueId": "",

        "externalId": "<external ID>",

        "region": "us-east-1",

        "kubernetesCluster": "",

        "kubernetesNamespace": "",

        "account": {"externalId":"<external ID>","id":"<ID>"}

      },

      "matchedRules": " ruleId: ; ruleName: <RULE NAME> "

    }

  }

}

 

This was strange behavior but likely was caused by the default setting of BREAK_ONLY_BEFORE_DATE=true

 

To remedy this I edited the sourcetype config for wiz by adding the following:

BREAK_ONLY_BEFORE ={[\r\n]\s+\"event\"\: BREAK_ONLY_BEFORE_DATE = false

Note I left the value below as True

SHOULD_LINEMERGE = true

 

However after clicking save the following changes were made:

BREAK_ONLY_BEFORE ={[\r\n]\s+\"event\"\:

LINE_BREAKER = {[\r\n]\s+\"event

SHOULD_LINEMERGE = false

 

The configuration for BREAK_ONLY_BEFORE_DATE was unable to be saved and SHOULD_LINEMERGE was unable to be set to true while BREAK_ONLY_BEFORE was present.

 

I tried performing this change many times over hours and tried creating unrelated sourcetypes with BREAK_ONLY_BEFORE_DATE but was unable to set this setting on splunk cloud. 

In addition, any attempt to set SHOULD_LINEMERGE to true while BREAK_ONLY_BEFORE was present resulted in SHOULD_LINEMERGE being set to false and LINE_BREAKER being set to the same value as BREAK_ONLY_BEFORE

Other settings were able to be set as expected. 

A final note for information is timestamp was set to auto.

Are these configurations invalid in general or just unable to be set in settings > sourcetypes > advanced in splunk cloud?

As an additional note no settings applied were able to set the event breaking to earlier behavior and I was forced to revert the change on the input back to sourcetype _json where breaking worked as expected. 

Would appreciate any answers and happy to provide more info if needed

Apologies for the long read.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...