https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630930#M9249 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>I suppose that you already configured the input from Juniper.</P><P>If not, follow the instructions at&nbsp;<A href="https://docs.splunk.com/Documentation/AddOns/latest/juniper/About?_ga=2.107177089.2041590115.1672646338-1358809174.1667771201&amp;_gl=1*jhzgs1*_ga*MTM1ODgwOTE3NC4xNjY3NzcxMjAx*_ga_5EPM2P39FV*MTY3NjQ1MTg0MS41MDEuMS4xNjc2NDUzMzIxLjU0LjAuMA." target="_blank">https://docs.splunk.com/Documentation/AddOns/latest/juniper/About?_ga=2.107177089.2041590115.1672646338-1358809174.1667771201&amp;_gl=1*jhzgs1*_ga*MTM1ODgwOTE3NC4xNjY3NzcxMjAx*_ga_5EPM2P39FV*MTY3NjQ1MTg0MS41MDEuMS4xNjc2NDUzMzIxLjU0LjAuMA.</A>.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Feb 2023 09:29:13 GMT gcusello 2023-02-15T09:29:13Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630926#M9246 <P>hai team,</P> <P>we are using splunk cloud and one prem HF&nbsp;</P> <P>we are getting juniper logs as syslogs and we are using <SPAN>Splunk_TA_juniper in splunk cloud</SPAN></P> <P><SPAN>how to do field attraction from my end&nbsp;</SPAN></P> Wed, 15 Feb 2023 15:39:13 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630926#M9246 sekhar463 2023-02-15T15:39:13Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630927#M9247 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>if syslogs from Juniper arrive to Splunk Cloud passing through one or more HFs, you have to install the&nbsp;<SPAN>Splunk_TA_juniper also on the HFs because data are coocked on the first Full Splunk instance (HFs) where they are passing trough.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Wed, 15 Feb 2023 09:22:24 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630927#M9247 gcusello 2023-02-15T09:22:24Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630929#M9248 <P>Thanks.</P><P>once installed any config need to do ? will it automatically take&nbsp;</P> Wed, 15 Feb 2023 09:27:09 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630929#M9248 sekhar463 2023-02-15T09:27:09Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630930#M9249 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>I suppose that you already configured the input from Juniper.</P><P>If not, follow the instructions at&nbsp;<A href="https://docs.splunk.com/Documentation/AddOns/latest/juniper/About?_ga=2.107177089.2041590115.1672646338-1358809174.1667771201&amp;_gl=1*jhzgs1*_ga*MTM1ODgwOTE3NC4xNjY3NzcxMjAx*_ga_5EPM2P39FV*MTY3NjQ1MTg0MS41MDEuMS4xNjc2NDUzMzIxLjU0LjAuMA." target="_blank">https://docs.splunk.com/Documentation/AddOns/latest/juniper/About?_ga=2.107177089.2041590115.1672646338-1358809174.1667771201&amp;_gl=1*jhzgs1*_ga*MTM1ODgwOTE3NC4xNjY3NzcxMjAx*_ga_5EPM2P39FV*MTY3NjQ1MTg0MS41MDEuMS4xNjc2NDUzMzIxLjU0LjAuMA.</A>.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Feb 2023 09:29:13 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630930#M9249 gcusello 2023-02-15T09:29:13Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630934#M9250 <P>we already configured the inputs for syslogs&nbsp;</P><P>but if we configured again for the input using ADDON is it leads duplicate logs&nbsp;</P><P>and if we install TA in HF what is the config we need to do for extraction&nbsp;</P><P>does it required inputs or props</P> Wed, 15 Feb 2023 09:55:14 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630934#M9250 sekhar463 2023-02-15T09:55:14Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630936#M9251 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>I suppose that you are ingesting logs from Juniper using an HF.</P><P>Is the HF where you enabled inputs the same that sends logs to Splunk Cloud or there's another intermediate HF?</P><P>On the first HF you have to use the Splunk_TA_for_Juniper enabling the wanted inputs, don't use another app or inputs outside the add-on.</P><P>In this way you correctly ingest logs, that are correctly parsed by the add-on and sent to Splunk Splunk.</P><P>On Splunk Cloud you have to install the same TA for the search time configurations.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Feb 2023 10:07:36 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630936#M9251 gcusello 2023-02-15T10:07:36Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630938#M9252 <P>To be precise, the data is _parsed_ on the HFs, not cooked. Data is cooked on UFs and sent cooked to HFs/indexers. It is parsed on HF and sent to indexers (hence the advice to avoid using HF unless absolutely needed - parsed data is much bigger in volume than cooked data).</P> Wed, 15 Feb 2023 10:37:58 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630938#M9252 PickleRick 2023-02-15T10:37:58Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630940#M9260 <P>yes we have multiple HF "s getting syslogs to splunk cloud for juniper.</P><P>so how we can install ADDON and we need to disable syslog inputs&nbsp;</P> Wed, 15 Feb 2023 10:59:52 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630940#M9260 sekhar463 2023-02-15T10:59:52Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630941#M9261 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>you don't need to disable all syslogs, only the ones from Juniper,</P><P>at the same time the Splunk_TA_Juniper must be installed only in HFs used to ingest logs from Juniper not in all HFs.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Feb 2023 11:11:52 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630941#M9261 gcusello 2023-02-15T11:11:52Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630949#M9262 <P>okay so we can disable syslog input and once installed need to create new inputs in&nbsp; TA ADDON right</P> Wed, 15 Feb 2023 12:12:06 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630949#M9262 sekhar463 2023-02-15T12:12:06Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630952#M9263 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>remember to use the sourcetype=juniper in you udp input.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Feb 2023 13:01:22 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630952#M9263 gcusello 2023-02-15T13:01:22Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630954#M9264 <P>where is it while doing inputs.conf file or in the device end while configuring to send syslogs</P> Wed, 15 Feb 2023 13:13:53 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630954#M9264 sekhar463 2023-02-15T13:13:53Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630956#M9265 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244375">@sekhar463</a>,</P><P>sourcetype is defined by GUI or by inputs.conf file.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Feb 2023 13:30:08 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-via-props-transforms-for-juniper-logs-in-splunk/m-p/630956#M9265 gcusello 2023-02-15T13:30:08Z