Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Eventgen not breaking _json events correctly after using proven sourcetype props.conf that does work - any suggestions?

DanClarke
New Member
‎12-12-2018 06:40 AM

Hi,

I have been able to prove that I can ingest some _json sample events into splunk and that it breaks the events correctly using _json_no_timestamp configurations. This works for the 16 events I have and breaks each event correctly. It does not work with eventgen...?

These are the sample _json events that I have exported as a _json format file and am trying to use eventgen to generate more sample events from this. See sample example below...

{"Account_Domain":"xxxx","Account_Name":"xxxx","ComputerName":"xxxxxx.org","Creator_Process_ID":"3308","Creator_Process_Name":null,"EventCode":"4688","New_Process_Name":"C:\Windows\System32\reg.exe","Process_Command_Line":"REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f","_time":1544107567.59855}

{"Account_Domain":"xxxx","Account_Name":"xxxx","ComputerName":"xxxxxx.org","Creator_Process_ID":"8108","Creator_Process_Name":null,"EventCode":"4688","New_Process_Name":"C:\Windows\System32\whoami.exe","Process_Command_Line":"whoami /priv","_time":1543848748.94334}

I have created my eventgen.conf stanza as follows and this points to my sample file above...

[powershell_events_3]
interval = 300
earliest = -15m
latest = now
outputMode = splunkstream

fileName = /tmp/powershell_events.json

host = eventgen
source = WinEventLog:Security
maxIntervalsBeforeFlush = 1
disabled = 0

backfillSearch = index="corpserv_event" sourcetype="json_no_timestamp"

index = corpserv_event
sourcetype= json_no_timestamp

I have created my props.conf as follows so that I have the correct sourcetype configurations...

[json_no_timestamp]
BREAK_ONLY_BEFORE=^{
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
MAX_TIMESTAMP_LOOKAHEAD=800
SHOULD_LINEMERGE=true
category=Structured
description=A variant of the JSON source type, with support for nonexistent timestamps
disabled=false
pulldown_type=true

This set up has been proven to work when pointing to my main index and not using eventgen. I have used eventgen with other sourcetypes / data types and its works, either eventgen does not work for _json or I am missing something...? any help appreciated...

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...