All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The events are not parsing

jibin1988
Path Finder
‎11-30-2019 11:46 PM

Hi,
I am using Expanded Snare syslog app in HF. But the problem here is the data is not getting parsed as per the props.conf in the app.

Do we have to install this app in indexers as well ? OR HF will do the parsing before sending the logs to indexers?

Please help!!

props.conf :

[windows_snare_syslog]
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
REPORT-colon_1 = snare_colon_1
REPORT-colon_2 = snare_colon_2
#REPORT-colon_3 = snare_colon_3

EXTRACT-Event_ID = (?i)^(?:[^\t]*\t){5}(?P[^\t]+)
EXTRACT-Event_Log = (?i)^(?:[^\t]*\t){2}(?P[^\t]+)
EXTRACT-Event_Source = (?i)^(?:[^\t]*\t){6}(?P[^\t]+)

SHOULD_LINEMERGE = False
TIME_FORMAT = %b %d %H:%M:%S
0 Karma
Reply

woodcock
Esteemed Legend
‎12-03-2019 07:51 AM

For props.conf files, best-practice is to deploy EVERYWHERE. In your case, you must deploy:

These go to the HF:

 [windows_snare_syslog]
 MAX_TIMESTAMP_LOOKAHEAD = 32
 TRANSFORMS = syslog-host
 SHOULD_LINEMERGE = False
 TIME_FORMAT = %b %d %H:%M:%S

These go to Search Head:

 [windows_snare_syslog]
 REPORT-syslog = syslog-extractions
 REPORT-colon_1 = snare_colon_1
 REPORT-colon_2 = snare_colon_2
 #REPORT-colon_3 = snare_colon_3
 EXTRACT-Event_ID = (?i)^(?:[^\t]*\t){5}(?P[^\t]+)
 EXTRACT-Event_Log = (?i)^(?:[^\t]*\t){2}(?P[^\t]+)
 EXTRACT-Event_Source = (?i)^(?:[^\t]*\t){6}(?P[^\t]+)

But just deploy it everywhere.

0 Karma
Reply

oscar84x
Contributor
‎12-02-2019 10:08 AM

The HF alone should do the trick but you could put the props and transforms on both the indexer and the HF just in case.
More importantly though, this seems to be a very old app. Have you checked that the extracts/regex, timestamps, etc in the app match the patterns on your events?

0 Karma
Reply

sanjeev543
Communicator
‎12-03-2019 04:56 AM

Hi @jibin1988 could you please be more specific, what exactly is not getting parsed?
Is it line breaking? time stamp or field extractions?

Also please provide some sample events for us to check and identify the issue

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...