FAQ

I edited the transforms from Splunk Web and now I have content in the local directory. How do I merge this with the default content?

You can merge content from the local directory by copying the stanzas from the file in local directory into the corresponding file in the default directory.

For example say you want to merge the following:

The local transforms file (local/transforms.conf) includes:

   [bluecoat]
   SHOULD_LINEMERGE = false

   [product_static_Proxy]
   REGEX = (.)
   FORMAT = product::"Proxy"

The default transforms file (default/transforms.conf) includes:

   [bluecoat]
   REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat

The combined transforms file (in default/transforms.conf) would look like this:

   [bluecoat]
   SHOULD_LINEMERGE = false
   REPORT-0auto_kv_for_bluecoat = auto_kv_for_bluecoat
   [product_static_Proxy]
   REGEX = (.)
   FORMAT = product::"Proxy"

Once you have migrated all the stanzas, make sure to delete the files in the local directory.

My source data is mostly tab-delimited, but the first three fields are space-delimited... these fields contain the date and time, the log host, and the log type. What should I do?

Put these fields into one field called log_header and ignore it. The fields are not necessary for the add-on to function.

My Nessus data appears to have incorrect time stamps. How do I fix this?

By default, infrequently indexed data like Nessus is indexed using current time to make it automatically available to time-sensitive vulnerability tracking searches, so that it will be seen as more than raw data.

To index using the individual scan ending times, edit TA-Nessus/defaults/prop.conf, comment the "Index w/ current time" section, and uncomment the "Index w/ ReportHost StopTime" option (as follows):

  ## Index w/ current time
  # DATETIME_CONFIG = CURRENT
  ## vs. Index w/ ReportHost StopTime
  DATETIME_CONFIG =
  TIME_PREFIX = end_time="
  TIME_FORMAT = %a %b  %d %H:%M:%S %Y

If the Nessus data appears properly in the Search bar but is not appearing in Vulnerability Center, the data is too old to be searched for notable events. Clone these three searches:

• Network -- Vulnerability Scanner Detection (by event) -- Rule
• Network -- Vulnerability Scanner Detection (by targets) -- Rule
• Network -- Vulnerability Tracker -- Lookup Gen

and then manually run the clones a single time across the time period covering the newly imported Nessus scans.

Known Issues

Splunk fails to extract values spanning multiple lines

Splunk fails to automatically extract values when those values span multiple lines. The fields are extracted with the correct name but the value is left empty if the original value includes multiple lines.

To work around this issue, create a transform that extracts the entire field. Below is a transform that extracts the multi-line field "message" for the source type "acme_firewall":

In transforms.conf:

   [message_for_acme_firewall]
   REGEX = ,\s+message=\"(.*?)(\",\s+\S+\=)
   FORMAT = message::"$1"

Then, enable the transform in default/props.conf in the add-on folder:

   [acme_firewall]
   REPORT-0 message_for_acme_firewall = message_for_acme_firewall