i've renammed the sourcetype for our juniper SA log, we had it be "vpnssl", so i renammed it for "juniper_sa_log", but the data is still not showing as expected in juniper-SA app's dashboard and searches, is there a kind of manual that i could get my hands on?
The Juniper SA app expects the sourcetype of the data (for field extractions, etc) to work to be "juniper_sa_log". If you've got it branded as "syslog", then the rules that apply to the Juniper SA app won't be triggered. You can consider renaming the sourcetype if the Juniper data is the only thing coming in from syslog. Otherwise, you'll want to apply the "sa_sourcetyper_rule" to your incoming data. The existing rule looks like this:
[source::udp:514] TRANSFORMS-sasourcetype = sa_sourcetyper
You'll want to write something like this in your props.conf:
[syslog] TRANSFORMS-sasourcetype = sa_sourcetyper