I'm working on the same thing, actually. I'm curious if you've managed to get a good setup for this. Here's what I have in my props.conf:
[suricata_stats_log2]
BREAK_ONLY_BEFORE = Date:
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = False
TIME_PREFIX = Date:
pulldown_type = 1
EXTRACT-Counter = (?i)(?P<Counter>[^ ]+)\s+\|\s+\w+\s+\|\s+\d+
EXTRACT-TM_Name = (?i)\..*? \| (?P<TM_Name>\w+)(?= )
EXTRACT-Value = (?i) .*? \| (?P<Value>\d+)
Each line (tcp.sessions | Detect | 2932, etc) is it's own event with the correct timestamp. However, I'm not sure I like this particular solution yet. 272 actual stats turn into over 27000 events in Splunk! I'm still futzing with it to try to find something I like.
I've tried multikv and either it didn't work at all, or I was totally broken in my search implementation of it, heh.
... View more