Hi,
I have been able to prove that I can ingest some _json sample events into splunk and that it breaks the events correctly using _json_no_timestamp configurations. This works for the 16 events I have and breaks each event correctly. It does not work with eventgen...?
These are the sample _json events that I have exported as a _json format file and am trying to use eventgen to generate more sample events from this. See sample example below...
{"Account_Domain":"xxxx","Account_Name":"xxxx","ComputerName":"xxxxxx.org","Creator_Process_ID":"3308","Creator_Process_Name":null,"EventCode":"4688","New_Process_Name":"C:\Windows\System32\reg.exe","Process_Command_Line":"REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f","_time":1544107567.59855}
{"Account_Domain":"xxxx","Account_Name":"xxxx","ComputerName":"xxxxxx.org","Creator_Process_ID":"8108","Creator_Process_Name":null,"EventCode":"4688","New_Process_Name":"C:\Windows\System32\whoami.exe","Process_Command_Line":"whoami /priv","_time":1543848748.94334}
I have created my eventgen.conf stanza as follows and this points to my sample file above...
[powershell_events_3]
interval = 300
earliest = -15m
latest = now
outputMode = splunkstream
fileName = /tmp/powershell_events.json
host = eventgen
source = WinEventLog:Security
maxIntervalsBeforeFlush = 1
disabled = 0
backfillSearch = index="corpserv_event" sourcetype="json_no_timestamp"
index = corpserv_event
sourcetype= json_no_timestamp
I have created my props.conf as follows so that I have the correct sourcetype configurations...
[json_no_timestamp]
BREAK_ONLY_BEFORE=^{
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
MAX_TIMESTAMP_LOOKAHEAD=800
SHOULD_LINEMERGE=true
category=Structured
description=A variant of the JSON source type, with support for nonexistent timestamps
disabled=false
pulldown_type=true
This set up has been proven to work when pointing to my main index and not using eventgen. I have used eventgen with other sourcetypes / data types and its works, either eventgen does not work for _json or I am missing something...? any help appreciated...
... View more