All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Juniper SRX - Events Indexed is climbing however I can't view the results

bmilo
New Member
‎05-21-2014 10:26 AM

I've got an SRX 220, set to spit out logs to the Splunk. Events Indexed is at 2,475 and climbing over the last 4 hours. In troubleshooting the config, I made a couple of edits related to the inputs.conf file, so I'd to ensure that these are correct.

  • [udp://514]
  • host = servername
  • connection_host = ip
  • sourcetype = syslog //I've read some conflicting posts about using a custom srx_log instead of syslog//
  • no_appending_timestamp = true //added this line after reading a couple of threads that said it was necessary//

My issues is that when I go into the App: Splunk for Juniper SRX, regardless if I go to the y the Traffic Dashboard or the Application Dashboard, I'm receiving No results found. Inspect...

I'm not sure if I've banged up the config within Splunk, or if I'm not sending the correct data out of the SRX. Any help would be greatly appreciated.

Tags (1)
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-22-2014 06:06 AM

The sourcetype needs to be "srx_log".

The README file specifically mentions this. The data comes in as srx_log and then gets split into two other sourcetypes "srx_threat" and "srx_traffic". You can see this by going to the app and looking at the file in default called props.conf, transforms.conf and macros.conf.

In macros.conf you will see the base macros are expecting your data to have certain sourcetypes. All of the other searches are based off of this.

0 Karma
Reply

bmilo
New Member
‎05-22-2014 05:05 AM

Version 6.1
search sourcetype=syslog results in page with a left column and main view. The left column is filled with Seclected Fields, host (7) / source (1) / sourcetype (1), followed below by Interesting Fields: Date_hour, Date_mday, date_minute, date_month, etc.

My main view window lists i, time and event columns, with a slew of info within those columns.

  • Various things like
  • uplink is eth0
  • ace_reporter.reporter_inform_send(): connect (http://ip:8080/inform, ip=192...) in progress.
  • infctld.mcast_beacon()uplink-monitor.update() prev observation is eth[eth0]
0 Karma
Reply

okrabbe_splunk
Splunk Employee
Splunk Employee
‎05-21-2014 02:22 PM

What version of Splunk?

Also, can you tell us what you see if you just go to the search app and type in a search sourcetype=syslog?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...