https://community.splunk.com/t5/Getting-Data-In/Ingest-Esxi-logs-through-vrealize-into-Splunk-via-syslog/m-p/506508#M86226 <P>Hi All,</P><P>I want to ingest ESXi logs through vrealize in Splunk via syslog. Is there any app to get these logs parse correctly. Currently I installed add-on for ESXi and using source-type=vmw-syslog, logs which I am getting is OK but in datamodel some fields such as user, dest, action are appearing value "unknown". Could you please help me.</P><P>Thanks in advance</P><P>NS</P><P>&nbsp;</P> Mon, 29 Jun 2020 11:13:16 GMT NS2017 2020-06-29T11:13:16Z https://community.splunk.com/t5/Getting-Data-In/Ingest-Esxi-logs-through-vrealize-into-Splunk-via-syslog/m-p/506508#M86226 <P>Hi All,</P><P>I want to ingest ESXi logs through vrealize in Splunk via syslog. Is there any app to get these logs parse correctly. Currently I installed add-on for ESXi and using source-type=vmw-syslog, logs which I am getting is OK but in datamodel some fields such as user, dest, action are appearing value "unknown". Could you please help me.</P><P>Thanks in advance</P><P>NS</P><P>&nbsp;</P> Mon, 29 Jun 2020 11:13:16 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-Esxi-logs-through-vrealize-into-Splunk-via-syslog/m-p/506508#M86226 NS2017 2020-06-29T11:13:16Z https://community.splunk.com/t5/Getting-Data-In/Ingest-Esxi-logs-through-vrealize-into-Splunk-via-syslog/m-p/506536#M86233 Datamodels usually insert "unknown" when a source field is absent. You may need to add some aliases to the props.conf file for the vmw-syslog sourcetype so the needed fields can be found by the DM. Mon, 29 Jun 2020 14:02:30 GMT https://community.splunk.com/t5/Getting-Data-In/Ingest-Esxi-logs-through-vrealize-into-Splunk-via-syslog/m-p/506536#M86233 richgalloway 2020-06-29T14:02:30Z