Good Morning,
I am pulling zeek (Bro) logs into my Splunk to view events. However some of these events will display proper syntax highlights while others will just display raw text only, regardless...
See more...
Good Morning,
I am pulling zeek (Bro) logs into my Splunk to view events. However some of these events will display proper syntax highlights while others will just display raw text only, regardless of their log source. The main difference between the 2 I've noticed is that the events that display proper syntax highlights only have 1 time stamp while other events with multiple time stamps will display as raw text. Multiple searches have led me to create my own local props.conf and transforms.conf files that contains this information at this current time:
transforms.conf: [TranSON] SOURCE_KEY = _raw DEST_KEY = _raw REGEX = ^([^{]+)({.+})$ FORMAT = $2
props.conf [my_source_type] KV_MODE = JSON TRANSFORMS-JSON = TranSON SHOULD_LINEMERGE = false LINE_BREAKER=([\r\n\s]*)(?=\{\s*"ts":) TIME_FORMAT=%m-%d%-%Y %H:%M:%S.%4n TIME_PREFIX="timestamp":\s*" MAX_TIMESTAMP_LOOKAHEAD=25 TRUNCATE = 0 EVENT_BREAKER_ENABLE = true
Here is also 2 examples of the events ( I will write them both out in raw text), one that is displaying the syntax highlights and one that doesn't.
Event that shows Syntax highlights: {"ts":1659441156.916498,"host":"1.1.1.1","port_num":123,"port_proto":"udp","service":[""]}
Even that does not show Syntax highlights:
{"ts":1659441445.280528,"id.orig_h":"1.1.1.1","id.orig_p":123,"id.resp_h":"1.1.2.2","id.resp_p":456} {"ts":1659441456.795169,"id.orig_h":"1.1.3.4","id.orig_p":789,"id.resp_h":"1.1.7.9","id.resp_p":456}
Any information would be greatly appreciated, I don't know if I'm missing something or I am approaching this wrong.