Hi,
I am very new to Splunk so please let me know if you need more information or if I am not specific enough.
I am trying to use splunk with the "App for McAfee Web Gateway". There is not really much documention, so I guess the installation instructions are obvious if you know splunk well, but I don't...
The App seems fine, and I imported the "MWGaccesslog_for_Splunk.xml" into the Web Gateway. Log file is being written locally on the web gateway.
To test the app, I copied it to splunk server.
No when I want to add a data input through Settings -> Data inputs -> Files & Directories I can select the file and the preview looks valid.
But when I want to select the source type "MWGaccesslog" it is not available from the list (there is only access_combined, apache_error, iis, ...).
I tried to "Start a new source type" and using the name "MWGaccesslog", but then splunk sais that this source already exists.
So why can't I select it from the list?
The installed version is Splunk free 6.0.1 on Debian 7.
Thanks!
Ok, I found it, it is not in the list, I have to type it into the field after selecting manual...
My bad...
The data seems to be indexed, I can find it in the search and it sais "sourcetype = MWGaccess".
So far so good... but nothing shows up in the App.
Any idea what I am missing?
Thanks
Ok, I found it, it is not in the list, I have to type it into the field after selecting manual...
My bad...
The data seems to be indexed, I can find it in the search and it sais "sourcetype = MWGaccess".
So far so good... but nothing shows up in the App.
Any idea what I am missing?
Thanks
Yes it is - again, my bad.
I recreated the data input and now it works.
No I'll just have to find a good way to get the log file to the splunk server.
Thanks!
Wasn't that supposed to be "MWGaccesslog"?