OK I am not crazy here I've seen this on two different machines that I've been running SplunkforSnort on.
I set up the devices to pull from the '/var/log/snort/alert' log on the box and give them a manual sourcetype of 'snort'. When I first set both boxes up things worked great. Then after about 5-7 days the application exihibits a strange behavior. It only displays the data from 12am to 1am. Has anyone else experienced this?
When I tail -f the log file I see snort alerts coming in and even when I set SplunkforSnort to 1min realtime I see the number of scanned events increase but the results shows as zero.
I am using snort 2.9.0.4 and Splunk 4.2.3 if that helps.
... View more