hello,
I am currently testing Splunk, with a single instance on a VM.
I have some trouble getting information out of logs correctly.
The log I am analysing has the following fields:
Time Stamp, Action, Source, Destination, Translated, Source, Translated Dest, Duration, Bytes Sent, Bytes Received, Application, and Reason.
some sample data:
========================================================================================================================
Entire Traffic Log list
Current system time is Thu, 25 Apr 2019 09:38:19
========================================================================================================================
Time Stamp Action Source Destination Translated Source Translated Dest Duration Bytes Sent Bytes Received Application Reason
2019-04-25 09:38:19 Permit
10.11.100.139:49573 192.168.3.2:9090 10.11.100.139:49573 192.168.3.2:9090 0 sec 0 0 TCP PORT 9090 Creation 2019-04-25 09:38:19 Permit
10.11.100.104:52934 <public IP>:443 <public IP>:30233 <public IP>:443 0 sec 0 0 HTTPS Creation 2019-04-25 09:38:19 Deny
10.10.1.50:60239 <public IP>:443 0.0.0.0:0 0.0.0.0:0 0 sec 0 28 HTTPS Traffic Denied 2019-04-25 09:38:19 Permit
10.11.100.139:49572 192.168.3.2:9090 10.11.100.139:49572 192.168.3.2:9090 0 sec 0 0 TCP PORT 9090 Creation 2019-04-25 09:38:19 Permit
10.11.100.133:50622 <public IP>:443 <public IP>:32209 <public IP>:443 0 sec 0 0 HTTPS Creation 2019-04-25 09:38:19 Permit
10.11.100.139:49571 192.168.3.2:9090 10.11.100.139:49571 192.168.3.2:9090 0 sec 0 0 TCP PORT 9090 Creation 2019-04-25 09:38:19 Permit
10.11.100.39:51561 <public IP>:443 <public IP>:57732 <public IP>:443 0 sec 0 0 HTTPS
That's the first few lines of the log.
I have replaced public IPs with <public IP> for obvious reasons.
When I try to transform all these so I can select on them more easily, I run into errors.
What is the best way to get the data out?
I guess I have to change a props.conf file. How do I find the one that contains the sourcetype I created?
... View more