×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
phillijc
New Member
Member since: ‎07-10-2013
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-10-2013
Activity Feed
Topics I've Started
View All

Re: Splunk for Snort Event Question

by in All Apps and Add-ons
‎07-15-2013 08:28 AM
1 Karma
‎07-15-2013 08:28 AM
1 Karma
OK, the main problem I see with your setup is that you have set the sourcetype "snort". As the installation docs for Splunk for Snort state, you need to set either snort_alert_fast for alert_fast format or snort_alert_full for alert_full format. This is because these two need to be parsed differently in order to achieve correct event breaking, and I suspect this is what is causing you problems - events are not breaking properly so event boundaries in Splunk will not correspond to event boundaries in the original log file. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM