I agree that appending in json format mode would be nice. We are moving to json format away from tsv to save on tsidx bucket size in splunk. While I dont think we would see a major need for this, it would save analysts from having to scrounge through multiple log files for the same type if somehow the logs rotated out early because of a bro restart.
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Feature Request: Append | 5 | 192 | May 6, 2022 | |
| Working with tsv and json log files at the same time | 4 | 383 | May 6, 2022 | |
| Bro Digest, Vol 127, Issue 2 | 1 | 65 | May 6, 2022 | |
| Another assist with Bro and Splunk | 8 | 172 | May 6, 2022 | |
| Bro Splunk file size and removal interaction | 2 | 99 | May 6, 2022 |