Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- How do I import botsv1 data to Splunk so I can sta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to setup a test environment so I can practice the new SPL that I am learning. I am trying to work with botsv1. I have downloaded and installed Splunk Enterprise along with the Splunk App for Stream, TA-Suricata, and the botsv1_data_set.tgz.
At this point I should be able to run an "index=botsv1" which does run successfully, but it has zero events. That makes me think I have the app installed but not the data. When I click on the link in GetHub to download the botsv1.json.gz file it opens a new Chrome browser tab rather than downloading the file. The same with all the individual Json files.
I know I am just doing it wrong (newbee), but how do I pull the data into Splunk so I can start searching it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not only am I new to Splunk, but I am a bit of novice at Linux. Turns out I created my Linux environment using LVM, which seem to have only used 100Gb of the 300Gb disk space I allocated. While attempting to install the Botsv1_Data_Set using the web interface I never saw the notices that I was out of disk space so the install would never compete.
When I ran the install manually using the terminal I finally saw an error message indicating the disk was out of space. Once I resolved my LVM disk space issues the app installed correctly and I was able to run the "index=botsv1 earliest=0" search and get events displayed.
Thank you Stephanie for responding to my posts. I hope this helps some other newbee to Splunk out there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not only am I new to Splunk, but I am a bit of novice at Linux. Turns out I created my Linux environment using LVM, which seem to have only used 100Gb of the 300Gb disk space I allocated. While attempting to install the Botsv1_Data_Set using the web interface I never saw the notices that I was out of disk space so the install would never compete.
When I ran the install manually using the terminal I finally saw an error message indicating the disk was out of space. Once I resolved my LVM disk space issues the app installed correctly and I was able to run the "index=botsv1 earliest=0" search and get events displayed.
Thank you Stephanie for responding to my posts. I hope this helps some other newbee to Splunk out there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems you were able to install the botsv1_data_set.tgz from the command line. Can you share how you did that and from which directory?
I have tar -xvfz <filename> from the $SPLUNK_HOME/etc/apps directory and now have a botsv1_data_set folder with fully expanded data set in what appears to be a botsv1_data_set app, but I cannot search or see the app or data from my Splunk search and reporting screen. I also cannot search the app or manage the app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're certain you did the installation correctly, then it sounds like your timerange of your search isn't including your data.
Try the search
index=botsv1 earliest=0
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
