Open csbflyer opened 4 months ago
The sampleDir key is not honored when set in a stanza containing PCRE
The script finds the first file in the directory and then tries to find it in the default sample directory: ERROR LOG ################# 2024/05/27 15:11:05 Buffer passed to eventgen-go [conn.log..*] sampleDir = /opt/splunk/etc/apps/TA-dta/samples interval = 604800 sourcetype = bro:json token.0.replacement = %s.%f token.0.replacementType = timestamp disabled = false mode = replay sampleDir = /home/splunk/dta_logs/zeek_logs/data token.0.token = \d{10}.\d{1,6} outputMode = modinput [global] sampleDir = /opt/splunk/etc/apps/TA-dta/samples disabled = false outputMode = modinput time="2024-05-27T15:11:05Z" level=info msg="Parsing configuration for sample: conn.log.20:00:00-21:00:00" time="2024-05-27T15:11:05Z" level=error msg="Sample file does not exist at path: /opt/splunk/etc/apps/TA-dta/samples/conn.log.20:00:00-21:00:00" time="2024-05-27T15:11:05Z" level=warning msg="Could not resolve Splunk fields, no lines detected"
CURRENT CONFIG ################# [conn.log..*] disabled = false sampleDir = /home/splunk/dta_logs/zeek_logs/data mode = replay sourcetype = bro:json interval = 604800 token.0.token = \d{10}.\d{1,6} token.0.replacementType = timestamp token.0.replacement = %s.%f
This works if I put the files in /opt/splunk/etc/apps/TA-dta/samples
The sampleDir key is not honored when set in a stanza containing PCRE
The script finds the first file in the directory and then tries to find it in the default sample directory: ERROR LOG ################# 2024/05/27 15:11:05 Buffer passed to eventgen-go [conn.log..*] sampleDir = /opt/splunk/etc/apps/TA-dta/samples interval = 604800 sourcetype = bro:json token.0.replacement = %s.%f token.0.replacementType = timestamp disabled = false mode = replay sampleDir = /home/splunk/dta_logs/zeek_logs/data token.0.token = \d{10}.\d{1,6} outputMode = modinput [global] sampleDir = /opt/splunk/etc/apps/TA-dta/samples disabled = false outputMode = modinput time="2024-05-27T15:11:05Z" level=info msg="Parsing configuration for sample: conn.log.20:00:00-21:00:00" time="2024-05-27T15:11:05Z" level=error msg="Sample file does not exist at path: /opt/splunk/etc/apps/TA-dta/samples/conn.log.20:00:00-21:00:00" time="2024-05-27T15:11:05Z" level=warning msg="Could not resolve Splunk fields, no lines detected"
CURRENT CONFIG ################# [conn.log..*] disabled = false sampleDir = /home/splunk/dta_logs/zeek_logs/data mode = replay sourcetype = bro:json interval = 604800 token.0.token = \d{10}.\d{1,6} token.0.replacementType = timestamp token.0.replacement = %s.%f
This works if I put the files in /opt/splunk/etc/apps/TA-dta/samples