Hi, I've just set up the Splunk For Symantec App in my distributed architecture.
On the forwarder, set an inputs.conf listening on port TCP 514 and forwarding data to index Symantec with sourcetype sep12:log
tcp://X.X.X.X:514]
connection_host = ip
index=symantec
sourcetype = sep12:log
disabled = 0
On each indexer (2 indexers)
set the sep12 TA
On my Search Head, installed the app and configured it to read data in index symantec
When I received data from SEPM, the data are indexed in index Symantec with sourcetype sep12:log.
The app is looking for sourcetypes like sep12:agent or sep12:policy Etc ... as they are defined in Props.conf and transform.conf.
I think field extraction is not running as desired.
Has somebody tried to use this app in a distributed environment ?
Thank's a lot.
Olivier.
Hi, I finally found the solution:
The stage when the add-on modifies the sourcetype is during the parsing process (through props.conf and transforms.conf).
Détails herre ==> http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Advancedsourcetypeoverrides
My architecture has a universal forwarder and the parsing process is done only on indexers or heavy forwarder. So my universal forwarder sets a sourcetype during he tparsing stage, then forwards data to the indexers that index without any transformations.
The solution in this case is
Hope that helps.
Olivier
Hi, I finally found the solution:
The stage when the add-on modifies the sourcetype is during the parsing process (through props.conf and transforms.conf).
Détails herre ==> http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Advancedsourcetypeoverrides
My architecture has a universal forwarder and the parsing process is done only on indexers or heavy forwarder. So my universal forwarder sets a sourcetype during he tparsing stage, then forwards data to the indexers that index without any transformations.
The solution in this case is
Hope that helps.
Olivier