About FCTaylor

FCTaylor · ‎03-21-2022

Not only am I new to Splunk, but I am a bit of novice at Linux. Turns out I created my Linux environment using LVM, which seem to have only used 100Gb of the 300Gb disk space I allocated. While attempting to install the Botsv1_Data_Set using the web interface I never saw the notices that I was out of disk space so the install would never compete. When I ran the install manually using the terminal I finally saw an error message indicating the disk was out of space. Once I resolved my LVM disk space issues the app installed correctly and I was able to run the "index=botsv1 earliest=0" search and get events displayed. Thank you Stephanie for responding to my posts. I hope this helps some other newbee to Splunk out there.

FCTaylor · ‎03-21-2022

Not only am I new to Splunk, but I am a bit of novice at Linux. Turns out I created my Linux environment using LVM, which seem to have only used 100Gb of the 300Gb disk space I allocated. While attempting to install the Botsv1_Data_Set using the web interface I never saw the notices that I was out of disk space so the install would never compete. When I ran the install manually using the terminal I finally saw an error message indicating the disk was out of space. Once I resolved my LVM disk space issues the app installed correctly and I was able to run the "index=botsv1 earliest=0" search and get events displayed. Thank you Stephanie for responding to my posts. I hope this helps some other newbee to Splunk out there.

FCTaylor · ‎03-21-2022

Does it matter what version of Splunk I am running. I currently have version 8.2 and the GitHub specifically calls out version 6.5.2. I am asking because when I try to install the Botsv1_Data_Set app the server seems to hang and the application never finishes installing. I can unzip the file to %splunk_home%/etc/apps but after doing that I see the application listed in Application Manager but the "index=botsv1 earlienst=0" command returns no results.

FCTaylor · ‎03-21-2022

I am new to Splunk and need some serious practice to learn all the cool things Splunk can do. I am trying to load the BOTSV1 JSON dataset into my lab environment so I can start learning the basics of SPL. According to the comments in GitHub this dataset is 120GB uncompressed. This brings up the following two issues. 1) The Splunk web file importer will only load files up to 500MB. How am I supposed to load a 120GB file? 2) The Splunk development license that I received is limited to 10GB, so how am I supposed to load this 120GB file once question #1 is resolved? I am sure I am not the only one encountering this issue, so forgive me for asking a question that has probably already been answered numerous time.

FCTaylor · ‎03-16-2022

I am trying to setup a test environment so I can practice the new SPL that I am learning. I am trying to work with botsv1. I have downloaded and installed Splunk Enterprise along with the Splunk App for Stream, TA-Suricata, and the botsv1_data_set.tgz. At this point I should be able to run an "index=botsv1" which does run successfully, but it has zero events. That makes me think I have the app installed but not the data. When I click on the link in GetHub to download the botsv1.json.gz file it opens a new Chrome browser tab rather than downloading the file. The same with all the individual Json files. I know I am just doing it wrong (newbee), but how do I pull the data into Splunk so I can start searching it?

Posts	5
Solutions	2
Karma Given	0
Karma Received	1
Member Since	‎03-16-2022

Online Status	Offline
Date Last Visited	‎03-21-2022 01:56 PM

Loading BOTSV1 JSON into developer Splunk environm...

How do I import botsv1 data to Splunk so I can sta...

Re: How do I import botsv1 data to Splunk so I can...

Re: Loading BOTSV1 JSON into developer Splunk envi...

Re: Loading BOTSV1 JSON into developer Splunk envi...

Loading BOTSV1 JSON into developer Splunk environm...

How do I import botsv1 data to Splunk so I can sta...