All Apps and Add-ons

RiverBed Application

vistasyslog
New Member

I have three RiverNeds sending data into Splunk.
I downloaded and installed the RiverBed app and the RiverBed add on, but cant get the app to fetch data.
Can someone explain in detail how to achieve that.

Thanks

0 Karma

vistasyslog
New Member

The Devices are directly sending Syslogs to Splunk with UDP.
I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data.
I need to know how to get that data into the App.
Can I point to the devices ?

Thanks

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Updated:

The sourcetype expected for the app is riverbed_steelhead. Take a look at the props.conf file and the transforms.conf file in the default directory.

In props.conf, you may need to add the stanza header. See link below, since i'm not sure why it's not like that in the app already.

Something like this:
[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_src

Then transforms.conf already has this which is setting the sourcetype of the incoming syslog based on a regex. Restart splunk. Once you can do a search for 'sourcetype=riverbed_steelhead' and see data, the app should populate for you.

[riverbed_src]
REGEX = ([a-z]+)(([\d+])|): [([A-Za-z0-9/_\ .:]+).(INFO|NOTICE|WARN|ALERT|ERR|CRIT|EMER)]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

In props.conf make sure you reference the right sourcename. Examples here of what they have done.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Doesn't look like that regex is going to work. I would start with REGEX = 10.12.0.20 just to see if you get one device coming in. What is the semi colon...the or operator should be a pipe '|' so that won't work. If you want to do this based on the host you can also use SOURCE_KEY = MetaData:Host to apply the regex to the host field as well.

0 Karma

vistasyslog
New Member

I am not getting the data in the riverbed_steelhead source type.
I get very few messages. 20 out of 8000 messages till now.

transforms.conf reads :

[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

Props.conf reads :

[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead

0 Karma

sdaniels
Splunk Employee
Splunk Employee

what is your setting for [source::...]. Don't change anything else.

0 Karma

vistasyslog
New Member

I added the Transforms commands to the props.conf file in Local Directory.
I also tried to change Riverbed_src = riverbed_steelhead.
I dont see that index being populated though.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

I updated above.

0 Karma

vistasyslog
New Member

The Devices are directly sending Syslogs to Splunk with UDP.
I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data.
I need to know how to get that data into the App.
Can I point to the devices ?

Thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...