Log Ingestion from Splunk

mgotechlock · July 6, 2020, 8:31pm

I am trying to get logs from Splunk to Logstash. I first tried straight up syslog output from Splunk heavy forwarders to logstash, but that wrote each Windows Event Viewer line to a separate syslog event. I don't want to deal with trying to recombine multiple syslog events into a single Windows event. If anyone has done that, let me know.

Perhaps a better option is to query the Splunk REST API, so I have been trying that. Please tell me there is a prebuilt or community built parser for this data input type. The output looks like this:

{
	"preview": false,
	"init_offset": 0,
	"messages": [],
	"fields": [
		{
			"name": "Analysis_symbol"
		},
		{
			"name": "Cab_Id"
		},
		{
			"name": "ComputerName"
		},
		{
			"name": "EventCode"
		},
		{
			"name": "EventType"
		},
		{
			"name": "Event_Name"
		},
		{
			"name": "Got_the_following_information_from_this_event"
		},
		{
			"name": "Hashed_bucket"
		},
		{
			"name": "Keywords"
		},
		{
			"name": "LogName"
		},
		{
			"name": "Message"
		},
		{
			"name": "OpCode"
		},
		{
			"name": "P1"
		},
		{
			"name": "P10"
		},
		{
			"name": "P2"
		},
		{
			"name": "P3"
		},
		{
			"name": "P4"
		},
		{
			"name": "P5"
		},
		{
			"name": "P6"
		},
		{
			"name": "P7"
		},
		{
			"name": "P8"
		},
		{
			"name": "P9"
		},
		{
			"name": "Rechecking_for_solution"
		},
		{
			"name": "RecordNumber"
		},
		{
			"name": "Report_Id"
		},
		{
			"name": "Report_Status"
		},
		{
			"name": "Response"
		},
		{
			"name": "Sid"
		},
		{
			"name": "SidType"
		},
		{
			"name": "SourceName"
		},
		{
			"name": "TaskCategory"
		},
		{
			"name": "Type"
		},
		{
			"name": "User"
		},
		{
			"name": "_bkt"
		},
		{
			"name": "_cd"
		},
		{
			"name": "_eventtype_color"
		},
		{
			"name": "_indextime"
		},
		{
			"name": "_pre_msg"
		},
		{
			"name": "_raw"
		},
		{
			"name": "_serial"
		},
		{
			"name": "_si"
		},
		{
			"name": "_sourcetype"
		},
		{
			"name": "_time"
		},
		{
			"name": "date_hour"
		},
		{
			"name": "date_mday"
		},
		{
			"name": "date_minute"
		},
		{
			"name": "date_month"
		},
		{
			"name": "date_second"
		},
		{
			"name": "date_wday"
		},
		{
			"name": "date_year"
		},
		{
			"name": "date_zone"
		},
		{
			"name": "eventtype"
		},
		{
			"name": "host"
		},
		{
			"name": "index"
		},
		{
			"name": "linecount"
		},
		{
			"name": "punct"
		},
		{
			"name": "source"
		},
		{
			"name": "sourcetype"
		},
		{
			"name": "splunk_server"
		},
		{
			"name": "splunk_server_group"
		},
		{
			"name": "timeendpos"
		},
		{
			"name": "timestartpos"
		}
	],
	"results": [
		{
			"ComputerName": "SVR-WEB-V01.test.local",
			"EventCode": "1033",
			"EventType": "4",
			"Keywords": "Classic",
			"LogName": "Application",
			"Message": "Windows Installer installed the product. Product Name: Splunk Enterprise. Product Version: 8.0.4.1. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 0.",
			"OpCode": "Info",
			"RecordNumber": "13539",
			"Sid": "S-1-5-21-2930188092-2083453072-227432495-1113",
			"SidType": "0",
			"SourceName": "MsiInstaller",
			"TaskCategory": "None",
			"Type": "Information",
			"User": "NOT_TRANSLATED",
			"_bkt": "main~1~95603916-0138-4018-BD00-D4D64F548131",
			"_cd": "1:26780",
			"_indextime": "1594066592",
			"_pre_msg": "07/06/2020 04:15:09 PM\nLogName=Application\nSourceName=MsiInstaller\nEventCode=1033\nEventType=4\nType=Information\nComputerName=SVR-WEB-V01.test.local\nUser=NOT_TRANSLATED\nSid=S-1-5-21-2930188092-2083453072-227432495-1113\nSidType=0\nTaskCategory=None\nOpCode=Info\nRecordNumber=13539\nKeywords=Classic",
			"_raw": "07/06/2020 04:15:09 PM\nLogName=Application\nSourceName=MsiInstaller\nEventCode=1033\nEventType=4\nType=Information\nComputerName=SVR-WEB-V01.test.local\nUser=NOT_TRANSLATED\nSid=S-1-5-21-2930188092-2083453072-227432495-1113\nSidType=0\nTaskCategory=None\nOpCode=Info\nRecordNumber=13539\nKeywords=Classic\nMessage=Windows Installer installed the product. Product Name: Splunk Enterprise. Product Version: 8.0.4.1. Product Language: 1033. Manufacturer: Splunk, Inc.. Installation success or error status: 0.",
			"_serial": "0",
			"_si": [
				"SVR-WEB-V01",
				"main"
			],
			"_sourcetype": "WinEventLog:Application",
			"_time": "2020-07-06T16:15:09.000-04:00",
			"date_hour": "16",
			"date_mday": "6",
			"date_minute": "15",
			"date_month": "july",
			"date_second": "9",
			"date_wday": "monday",
			"date_year": "2020",
			"date_zone": "local",
			"host": "SVR-WEB-V01",
			"index": "main",
			"linecount": "15",
			"punct": "//_::_======--..==-------======____.__:__.__:_....",
			"source": "WinEventLog:Application",
			"sourcetype": "WinEventLog:Application",
			"splunk_server": "SVR-WEB-V01",
			"timeendpos": "23",
			"timestartpos": "0"
		}
	],
	"highlighted": {}
}

Has anyone pulled/pushed logs from Splunk to Logstash? If so, can you detail how you did it?

system · August 3, 2020, 8:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Windows Event Viewer Logs Parsing without Winlogbeat Logstash	2	848	September 9, 2020
Parse stringified json from syslog 3164 events Logstash	3	14	September 2, 2024
Logstash with Splunk Logstash	3	9654	July 6, 2017
Ingesting Windows events forwarded by Splunk heavy forwarders Beats winlogbeat	6	610	March 12, 2023
Parsing Syslog to Logstash Logstash	6	489	March 10, 2020

Log Ingestion from Splunk

Related topics