All Apps and Add-ons

Source types and field tagging

e3splunk
New Member

The App doesn't seem to track back to the data from the Juniper logs. Our data is source="syslog" from our Juniper boxes, how do we tie this back to the Junipe SA App for the field extractions?

0 Karma

secinfo
New Member

i've renammed the sourcetype for our juniper SA log, we had it be "vpnssl", so i renammed it for "juniper_sa_log", but the data is still not showing as expected in juniper-SA app's dashboard and searches, is there a kind of manual that i could get my hands on?

0 Karma

sowings
Splunk Employee
Splunk Employee

The Juniper SA app expects the sourcetype of the data (for field extractions, etc) to work to be "juniper_sa_log". If you've got it branded as "syslog", then the rules that apply to the Juniper SA app won't be triggered. You can consider renaming the sourcetype if the Juniper data is the only thing coming in from syslog. Otherwise, you'll want to apply the "sa_sourcetyper_rule" to your incoming data. The existing rule looks like this:

[source::udp:514]
TRANSFORMS-sasourcetype = sa_sourcetyper

You'll want to write something like this in your props.conf:

[syslog]
TRANSFORMS-sasourcetype = sa_sourcetyper
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...