[Bro] problem ingesting bro json logs into splunk
Azoff, Justin S
jazoff at illinois.edu
Thu Jul 14 08:59:48 PDT 2016
> On Jul 14, 2016, at 11:33 AM, Gross, Brett <gross.b at ghc.org> wrote:
>
> We’ve used bro and splunk at our organization for a couple years now. We utilize the Splunk props and transforms configs to ingest the bro log in the format we want or with the additional attributes and aliases.
Ah, that's for the tab delimited logs, not the json logs though. I actually did it that way for years, I even have a python program that helps you generate the config:
https://github.com/JustinAzoff/bro_scripts/blob/2.0/generate_splunk_configs.py
But, I wouldn't use this method - the splunk TA app for bro is better.
As far as I know the transforms/props method only does the field lookups at search time, not at index time like the TA app configures.
Whenever the bro logs change and a column is added or removed, all those search time field lookups break.
--
- Justin Azoff
More information about the Bro
mailing list