Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About onegreydot
onegreydot
Explorer
Member since:
05-13-2013
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 05-13-2013 |
Activity Feed
- Posted Re: Add-on for Bro-IDS: Line Break fails with double quote in field. How do I edit the configuration to fix this? on All Apps and Add-ons. 04-04-2016 11:27 AM
- Posted Add-on for Bro-IDS: Line Break fails with double quote in field. How do I edit the configuration to fix this? on All Apps and Add-ons. 07-23-2015 11:30 AM
- Tagged Add-on for Bro-IDS: Line Break fails with double quote in field. How do I edit the configuration to fix this? on All Apps and Add-ons. 07-23-2015 11:30 AM
- Tagged Add-on for Bro-IDS: Line Break fails with double quote in field. How do I edit the configuration to fix this? on All Apps and Add-ons. 07-23-2015 11:30 AM
- Tagged Add-on for Bro-IDS: Line Break fails with double quote in field. How do I edit the configuration to fix this? on All Apps and Add-ons. 07-23-2015 11:30 AM
- Tagged Add-on for Bro-IDS: Line Break fails with double quote in field. How do I edit the configuration to fix this? on All Apps and Add-ons. 07-23-2015 11:30 AM
- Tagged Add-on for Bro-IDS: Line Break fails with double quote in field. How do I edit the configuration to fix this? on All Apps and Add-ons. 07-23-2015 11:30 AM
- Posted Re: maxmind geo database with splunk 6 on Dashboards & Visualizations. 12-16-2013 04:34 PM
- Posted maxmind geo database with splunk 6 on Dashboards & Visualizations. 12-14-2013 01:09 PM
- Tagged maxmind geo database with splunk 6 on Dashboards & Visualizations. 12-14-2013 01:09 PM
- Tagged maxmind geo database with splunk 6 on Dashboards & Visualizations. 12-14-2013 01:09 PM
- Tagged maxmind geo database with splunk 6 on Dashboards & Visualizations. 12-14-2013 01:09 PM
- Posted Re: Mulitple versions of logs creating separate sourcetypes? on Getting Data In. 10-20-2013 05:53 AM
- Posted Re: Mulitple versions of logs creating separate sourcetypes? on Getting Data In. 10-18-2013 11:29 AM
- Posted Mulitple versions of logs creating separate sourcetypes? on Getting Data In. 10-18-2013 07:08 AM
- Tagged Mulitple versions of logs creating separate sourcetypes? on Getting Data In. 10-18-2013 07:08 AM
- Tagged Mulitple versions of logs creating separate sourcetypes? on Getting Data In. 10-18-2013 07:08 AM
- Tagged Mulitple versions of logs creating separate sourcetypes? on Getting Data In. 10-18-2013 07:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
04-04-2016
11:27 AM
Think this was fixed by changing the field quote to always just look for tabs.
FIELD_QUOTE = \t
... View more
07-23-2015
11:30 AM
Hi,
I have a Bro IDS log file that consists of tab delimited fields. I have noticed that line breaking tends to fail when there is a double quote " in the field. Have tried numerous props.conf configurations, but it still looks like it is not working. Instead of line breaking it, the whole log is ingested as an event starting at the event with a double quote.
#ts src dest message1 message2
1345678.123432 1.1.1.1 2.2.2.2 this is a message this is a message2
1345678.123433 1.1.1.1 2.2.2.2 this is a message this is a message2
1345678.123434 1.1.1.1 2.2.2.2 "this is a message" this is a message2
1345678.123435 1.1.1.1 2.2.2.2 this is a message this is a message2
1345678.123436 1.1.1.1 2.2.2.2 this is a message this is a message2
1345678.123437 1.1.1.1 2.2.2.2 this is a message this is a message2
If this example is ingested, everything from the double quote on line 3 will be ingested.
I have mainly been using the Splunk TA for Bro IDS.
The props.conf for bro looks something like:
[bro]
SHOULD_LINEMERGE = false
TRUNCATE = false
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_FORMAT = %s.%6N
TRANSFORMS-BroAutoType = BroAutoType, TrashComments, BroRouteIndex
INDEXED_EXTRACTIONS = TSV
FIELD_HEADER_REGEX = ^#fields\t(.*)
FIELD_DELIMITER = \t
FIELD_QUOTE = "
Have added:
LINE_BREAKER = ([\r\n]+)
also have tried:
SEDCMD-DQUOTES = s/"//g
with no success.
Any help on this is greatly apprceiated!
... View more
12-16-2013
04:34 PM
Thanks for the answer. Hopefully it gets added :D.
... View more
12-14-2013
01:09 PM
Would it be possible to use the Maxmind IPv4 database in substitute with Splunk 6's ipv4 database for the maps function?
... View more
10-20-2013
05:53 AM
Tried adding that in the props.conf and it does extract both sets now.
However it still doesn't distinguish between logs, because the headers have changed. I should have put that in the example above.
So instead of "src_ip", "src_port", "dest_ip" ...
It may be "src_ip", "src_port", "host", "dest_ip" ...
The above makes it so that host could have the dest_ip and vice versa when searching the logs. If there were just additional headers to the log the above solution would work great!
Thanks!
... View more
10-18-2013
11:29 AM
The format of the log files in the transforms.conf looks something like:
old log:
[old_log] FIELDS="timestamp", "src_ip", "src_port", "dest_ip", "dest_port"
DELIMS=","
new log:
[new_log]
FIELDS="timestamp", "src_ip", "src_port", "dest_ip", "dest_port", "url", "level", "message"
DELIMS=","
In my props.conf I have:
[source::.../name.log]
sourcetype = name_log
[name_log]
REPORT-old_log = old_log
...
...
As you can see the new version of the log has a few more fields. I will actually try putting both REPORT statments in the props.conf and see how that goes.
Thanks for the help.
... View more
10-18-2013
07:08 AM
I have a log file that I created a transforms.conf and props.conf for specifying the log source in the props with [source::.../name.log]. The application generating the log was recently updated and the log file now has the same name.log but different header fields. Righ now I am extracting the fields using the REPORT statement and having DELIMS and FIELDS. But since the log file changed the FIELDS are now different. What would be the best way to maintaining both versions of logs inside of my splunk instance without having to rename the actual log?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
