All Apps and Add-ons

Installation Splunk for Symantec app for single instance

apakhomov
Path Finder

Hello,
I browsed directories ./SplunkforSymantec/default/ and ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/
The files in those directories almost identical.

So If I want to install SplunkforSymantec on the single Splunk instance and want to get data by syslog, I don't have to install TA-sepapp11. Is it right?

I only need to create./SplunkforSymantec/local/inputs.conf with content:

[udp:516]
sourcetype=sep11:log

I doubt about the string:

sourcetype=sep11:log

In the file ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/inputs.conf I see:

## A default listener
#[udp:516]
#sourcetype=sep11:log
# Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything
# searchable with sourectype of sep is an error

So, what is correct: "sep11:log" or "sep"

Tags (3)
0 Karma
1 Solution

apakhomov
Path Finder

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:

[udp://514]
sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.


Best regards, Artem.

View solution in original post

0 Karma

apakhomov
Path Finder

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:

[udp://514]
sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.


Best regards, Artem.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!