All Apps and Add-ons

RiverBed Application

vistasyslog
New Member

I have three RiverNeds sending data into Splunk.
I downloaded and installed the RiverBed app and the RiverBed add on, but cant get the app to fetch data.
Can someone explain in detail how to achieve that.

Thanks

0 Karma

vistasyslog
New Member

The Devices are directly sending Syslogs to Splunk with UDP.
I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data.
I need to know how to get that data into the App.
Can I point to the devices ?

Thanks

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Updated:

The sourcetype expected for the app is riverbed_steelhead. Take a look at the props.conf file and the transforms.conf file in the default directory.

In props.conf, you may need to add the stanza header. See link below, since i'm not sure why it's not like that in the app already.

Something like this:
[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_src

Then transforms.conf already has this which is setting the sourcetype of the incoming syslog based on a regex. Restart splunk. Once you can do a search for 'sourcetype=riverbed_steelhead' and see data, the app should populate for you.

[riverbed_src]
REGEX = ([a-z]+)(([\d+])|): [([A-Za-z0-9/_\ .:]+).(INFO|NOTICE|WARN|ALERT|ERR|CRIT|EMER)]
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

In props.conf make sure you reference the right sourcename. Examples here of what they have done.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Advancedsourcetypeoverrides

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Doesn't look like that regex is going to work. I would start with REGEX = 10.12.0.20 just to see if you get one device coming in. What is the semi colon...the or operator should be a pipe '|' so that won't work. If you want to do this based on the host you can also use SOURCE_KEY = MetaData:Host to apply the regex to the host field as well.

0 Karma

vistasyslog
New Member

I am not getting the data in the riverbed_steelhead source type.
I get very few messages. 20 out of 8000 messages till now.

transforms.conf reads :

[riverbed_steelhead]
REGEX = (10.12.0.20:10.0.0.33:10.10.20.185)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::riverbed_steelhead

Props.conf reads :

[source::udp:514]
TRANSFORMS-riverbed_src = riverbed_steelhead

0 Karma

sdaniels
Splunk Employee
Splunk Employee

what is your setting for [source::...]. Don't change anything else.

0 Karma

vistasyslog
New Member

I added the Transforms commands to the props.conf file in Local Directory.
I also tried to change Riverbed_src = riverbed_steelhead.
I dont see that index being populated though.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

I updated above.

0 Karma

vistasyslog
New Member

The Devices are directly sending Syslogs to Splunk with UDP.
I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data.
I need to know how to get that data into the App.
Can I point to the devices ?

Thanks

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...