Perhaps I was over thinking this when I set a sourcetype to windows_snare_syslog
- are there no field extractions build "out of the box" so to speak? We are running v5
This app might be of interest to you: http://splunk-base.splunk.com/apps/30824/expanded-snare-syslog
This app might be of interest to you: http://splunk-base.splunk.com/apps/30824/expanded-snare-syslog
Thanks Ayn. I had seen that but the word "expanded" in the description implied to me that there might be some additional out of the box field extractions for snare that I wasn't seeing for whatever reason. Guess not; will check it out.
I did just look and am seeing that. The disappointing thing is the syslog-extractions in the transforms.conf is just for process and pid. Had hoped for more value from this sourcetype w/o me having to develop it =).
Over here there is a field extraction windows_snare_syslog : REPORT-syslog that maps to the field transformation syslog-extractions.
Are you not seeing that, or is that not doing what you expected?