All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Juniper SRX - Events Indexed is climbing however I can't view the results

bmilo
New Member
‎05-21-2014 10:26 AM

I've got an SRX 220, set to spit out logs to the Splunk. Events Indexed is at 2,475 and climbing over the last 4 hours. In troubleshooting the config, I made a couple of edits related to the inputs.conf file, so I'd to ensure that these are correct.

  • [udp://514]
  • host = servername
  • connection_host = ip
  • sourcetype = syslog //I've read some conflicting posts about using a custom srx_log instead of syslog//
  • no_appending_timestamp = true //added this line after reading a couple of threads that said it was necessary//

My issues is that when I go into the App: Splunk for Juniper SRX, regardless if I go to the y the Traffic Dashboard or the Application Dashboard, I'm receiving No results found. Inspect...

I'm not sure if I've banged up the config within Splunk, or if I'm not sending the correct data out of the SRX. Any help would be greatly appreciated.

Tags (1)
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-22-2014 06:06 AM

The sourcetype needs to be "srx_log".

The README file specifically mentions this. The data comes in as srx_log and then gets split into two other sourcetypes "srx_threat" and "srx_traffic". You can see this by going to the app and looking at the file in default called props.conf, transforms.conf and macros.conf.

In macros.conf you will see the base macros are expecting your data to have certain sourcetypes. All of the other searches are based off of this.

0 Karma
Reply

bmilo
New Member
‎05-22-2014 05:05 AM

Version 6.1
search sourcetype=syslog results in page with a left column and main view. The left column is filled with Seclected Fields, host (7) / source (1) / sourcetype (1), followed below by Interesting Fields: Date_hour, Date_mday, date_minute, date_month, etc.

My main view window lists i, time and event columns, with a slew of info within those columns.

  • Various things like
  • uplink is eth0
  • ace_reporter.reporter_inform_send(): connect (http://ip:8080/inform, ip=192...) in progress.
  • infctld.mcast_beacon()uplink-monitor.update() prev observation is eth[eth0]
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-21-2014 02:22 PM

What version of Splunk?

Also, can you tell us what you see if you just go to the search app and type in a search sourcetype=syslog?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...