All Apps and Add-ons

Installation Splunk for Symantec app for single instance

apakhomov
Path Finder

Hello,
I browsed directories ./SplunkforSymantec/default/ and ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/
The files in those directories almost identical.

So If I want to install SplunkforSymantec on the single Splunk instance and want to get data by syslog, I don't have to install TA-sepapp11. Is it right?

I only need to create./SplunkforSymantec/local/inputs.conf with content:

[udp:516]
sourcetype=sep11:log

I doubt about the string:

sourcetype=sep11:log

In the file ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/inputs.conf I see:

## A default listener
#[udp:516]
#sourcetype=sep11:log
# Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything
# searchable with sourectype of sep is an error

So, what is correct: "sep11:log" or "sep"

Tags (3)
0 Karma
1 Solution

apakhomov
Path Finder

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:

[udp://514]
sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.


Best regards, Artem.

View solution in original post

0 Karma

apakhomov
Path Finder

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:

[udp://514]
sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.


Best regards, Artem.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...