Splunk Search

Feature / Workaround request: Add data to Splunk for Sourcefire

mlulmer
Explorer

Current EVENT logs from estreamer client pulls the following example record:

Tue Nov 1 23:59:59 2011 sensor_id=66 event_id=26 event_sec=1320217199 event_usec=459249 sid=13249 gen=1 rev=4 class=33 priority=1 src_addr=10.11.12.13 dst_addr=10.31.1.21 src_port=53 dst_port=51211 ip_proto=17 impact_flag=1 pad=1024

The numeric values do not provide the best information. Can you get the RULE record and show the textual message for the rule that fired (sid=13249). Also retrieve the class=33 text value and the sensor_id=66 hostname value. This would make this app more usable for us.

Thanks.

1 Solution

athana
Splunk Employee
Splunk Employee

mlulmer - Thank you for your suggestions, I will add these features to the new version of the app.

View solution in original post

athana
Splunk Employee
Splunk Employee

I just want to let you know that I posted the new version of Splunk for Sourcefire app (v2.0), which include your feature request.

athana
Splunk Employee
Splunk Employee

mlulmer - Thank you for your suggestions, I will add these features to the new version of the app.

Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...