Solved: Installation Splunk for Symantec app for single in...

apakhomov · ‎06-20-2013

Hello,
I browsed directories ./SplunkforSymantec/default/ and ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/
The files in those directories almost identical.

So If I want to install SplunkforSymantec on the single Splunk instance and want to get data by syslog, I don't have to install TA-sepapp11. Is it right?

I only need to create./SplunkforSymantec/local/inputs.conf with content:
[udp:516] sourcetype=sep11:log

I doubt about the string:
sourcetype=sep11:log

In the file ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/inputs.conf I see:
## A default listener #[udp:516] #sourcetype=sep11:log # Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything # searchable with sourectype of sep is an error

So, what is correct: "sep11:log" or "sep"

apakhomov · ‎07-08-2013

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:
[udp://514] sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.

Best regards, Artem.

View solution in original post

apakhomov · ‎07-08-2013

I was wrong. TA-sepapp11 must be installed.
Correct strings for the inputs.conf:
[udp://514] sourcetype = sep11:log

I had problem with parsing logs. The logs was written in Russian. The Splunk for Symantec app has parser only for the English logs.

Best regards, Artem.

Installation Splunk for Symantec app for single instance

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!