https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105419#M22210 <P>I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server</P> <P>all was well when I just had barracuda data as I set a manual UDP data input</P> <P>UDP 514 sourcetype barracuda</P> <P>but now I ALSO need a UDP 514 sourcetype riverbed_steelhead</P> <P>I dont have resource to set up another product to split these in advance of arriving on the Splunk server</P> <P>any help would really be appreciated</P> Wed, 24 Apr 2013 16:49:42 GMT 7070ithelpdesk 2013-04-24T16:49:42Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105419#M22210 <P>I have riverbed 10.10.10.1 and barracuda 10.10.10.2 both writing syslog (on UDP 514 which I cannot change) to my Splunk server</P> <P>all was well when I just had barracuda data as I set a manual UDP data input</P> <P>UDP 514 sourcetype barracuda</P> <P>but now I ALSO need a UDP 514 sourcetype riverbed_steelhead</P> <P>I dont have resource to set up another product to split these in advance of arriving on the Splunk server</P> <P>any help would really be appreciated</P> Wed, 24 Apr 2013 16:49:42 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105419#M22210 7070ithelpdesk 2013-04-24T16:49:42Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105420#M22211 <P>In props.conf, set sourcetype by Host IP.</P> <P><CODE>[host::10.10.10.1]<BR /> sourcetype=barracuda</CODE></P> <P><CODE>[host::10.10.10.2]<BR /> sourcetype=riverbed_steelhead</CODE></P> <P><CODE><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf" target="test_blank">http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf</A></CODE></P> Wed, 24 Apr 2013 17:11:40 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105420#M22211 alacercogitatus 2013-04-24T17:11:40Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105421#M22212 <P>Thanks for this</P> <P>I have quite a few apps installed and each seems to have its own "props.conf" (31 in total) when I seach the Splunk top level folder</P> <P>I assume the entry has to be in the "main" props.conf</P> <P>Could you tell me which one to edit</P> Thu, 25 Apr 2013 09:39:21 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105421#M22212 7070ithelpdesk 2013-04-25T09:39:21Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105422#M22213 <P>I added the sourcetypes below in the props.conf in the folder</P> <P>C:\Program Files\Splunk\etc\system\default</P> <P>I then set my UDP 514 input back to the default syslog </P> <P>an I get no data from my Barracuda</P> Thu, 25 Apr 2013 09:42:17 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105422#M22213 7070ithelpdesk 2013-04-25T09:42:17Z https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105423#M22214 <P>I have tried this solution for my problem.</P> <P>I've set up UDP 514 for sourcetype cisco:asa (most of the syslog hosts are cisco asa's).<BR /> But I need syslog for different sourcetypes like cisco:esa:textmail and McAfee Firewall Enterprise (Sidewinder) etc.</P> <P>I've set up a blank props.conf with the following syntax:<BR /> [host::10.1.1.2] sourcetype = cisco.esa.textmail<BR /> [host::10.1.1.1] sourcetype = cisco.esa.textmail</P> <P>But in the search app the sourcetype is still cisco:asa.</P> <P>What do I have to do additionally?</P> Tue, 24 Feb 2015 08:57:46 GMT https://community.splunk.com/t5/Getting-Data-In/Syslog-from-multiple-devices/m-p/105423#M22214 MOberschelp 2015-02-24T08:57:46Z