I have three RiverNeds sending data into Splunk.
I downloaded and installed the RiverBed app and the RiverBed add on, but cant get the app to fetch data.
Can someone explain in detail how to achieve that.
Thanks
The Devices are directly sending Syslogs to Splunk with UDP.
I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data.
I need to know how to get that data into the App.
Can I point to the devices ?
Thanks
Updated:
The sourcetype expected for the app is riverbed_steelhead. Take a look at the props.conf file and the transforms.conf file in the default directory.
In props.conf, you may need to add the stanza header. See link below, since i'm not sure why it's not like that in the app already.
Something like this:
[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_src
Then transforms.conf already has this which is setting the sourcetype of the incoming syslog based on a regex. Restart splunk. Once you can do a search for 'sourcetype=riverbed_steelhead' and see data, the app should populate for you.
[riverbed_src]
REGEX = ([a-z]+)(([\d+])|): [([A-Za-z0-9/_\ .:]+).(INFO|NOTICE|WARN|ALERT|ERR|CRIT|EMER)]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
In props.conf make sure you reference the right sourcename. Examples here of what they have done.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides
Doesn't look like that regex is going to work. I would start with REGEX = 10.12.0.20 just to see if you get one device coming in. What is the semi colon...the or operator should be a pipe '|' so that won't work. If you want to do this based on the host you can also use SOURCE_KEY = MetaData:Host to apply the regex to the host field as well.
I am not getting the data in the riverbed_steelhead source type.
I get very few messages. 20 out of 8000 messages till now.
transforms.conf reads :
[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead
Props.conf reads :
[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead
what is your setting for [source::...]. Don't change anything else.
I added the Transforms commands to the props.conf file in Local Directory.
I also tried to change Riverbed_src = riverbed_steelhead.
I dont see that index being populated though.
I updated above.
The Devices are directly sending Syslogs to Splunk with UDP.
I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data.
I need to know how to get that data into the App.
Can I point to the devices ?
Thanks