[Bro] problem ingesting bro json logs into splunk
philosnef at yahoo.com
Thu Jul 14 06:33:50 PDT 2016
We are getting a spurious sourcetype when ingesting bro json logs into splunk.
Specifically, we are getting a sourcetype of bro_00. There is no log file named this, and the splunkforwarder is just pushing the raw logs for indexing into splunk. There is no massaging of the log data. Anyone know why this sourcetype is popping up?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro