Hello,
I browsed directories ./SplunkforSymantec/default/ and ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/
The files in those directories almost identical.
So If I want to install SplunkforSymantec on the single Splunk instance and want to get data by syslog, I don't have to install TA-sepapp11. Is it right?
I only need to create./SplunkforSymantec/local/inputs.conf with content:
[udp:516]
sourcetype=sep11:log
I doubt about the string:
sourcetype=sep11:log
In the file ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/inputs.conf I see:
## A default listener
#[udp:516]
#sourcetype=sep11:log
# Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything
# searchable with sourectype of sep is an error
So, what is correct: "sep11:log" or "sep"
I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:
[udp://514]
sourcetype = sep11:log
I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.
Best regards, Artem.
I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:
[udp://514]
sourcetype = sep11:log
I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.
Best regards, Artem.