Splunk Enterprise Security

Eventgen not breaking _json events correctly after using proven sourcetype props.conf that does work - any suggestions?

DanClarke
New Member

Hi,

I have been able to prove that I can ingest some _json sample events into splunk and that it breaks the events correctly using _json_no_timestamp configurations. This works for the 16 events I have and breaks each event correctly. It does not work with eventgen...?

These are the sample _json events that I have exported as a _json format file and am trying to use eventgen to generate more sample events from this. See sample example below...

{"Account_Domain":"xxxx","Account_Name":"xxxx","ComputerName":"xxxxxx.org","Creator_Process_ID":"3308","Creator_Process_Name":null,"EventCode":"4688","New_Process_Name":"C:\Windows\System32\reg.exe","Process_Command_Line":"REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f","_time":1544107567.59855}

{"Account_Domain":"xxxx","Account_Name":"xxxx","ComputerName":"xxxxxx.org","Creator_Process_ID":"8108","Creator_Process_Name":null,"EventCode":"4688","New_Process_Name":"C:\Windows\System32\whoami.exe","Process_Command_Line":"whoami /priv","_time":1543848748.94334}

I have created my eventgen.conf stanza as follows and this points to my sample file above...

[powershell_events_3]
interval = 300
earliest = -15m
latest = now
outputMode = splunkstream

fileName = /tmp/powershell_events.json

host = eventgen
source = WinEventLog:Security
maxIntervalsBeforeFlush = 1
disabled = 0

backfillSearch = index="corpserv_event" sourcetype="json_no_timestamp"

index = corpserv_event
sourcetype= json_no_timestamp

I have created my props.conf as follows so that I have the correct sourcetype configurations...

[json_no_timestamp]
BREAK_ONLY_BEFORE=^{
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
MAX_TIMESTAMP_LOOKAHEAD=800
SHOULD_LINEMERGE=true
category=Structured
description=A variant of the JSON source type, with support for nonexistent timestamps
disabled=false
pulldown_type=true

This set up has been proven to work when pointing to my main index and not using eventgen. I have used eventgen with other sourcetypes / data types and its works, either eventgen does not work for _json or I am missing something...? any help appreciated...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...