All Apps and Add-ons

Splunk for Juniper SA Not picking up sourcetype

hartfoml
Motivator

I have the Juniper device sending to syslog-NG and I am reading the file as a monitored input to splunk.

I created a PROPS.conf like below in the local directory in the Juniper SA app:

### Transform Juniper SA Log SourceType
[source::/mnt/log/128.157.91.130/messages]
TRANSFORMS-sasourcetype= sa_sourcetypersouce
[source::/mnt/data/log/remote/r2s-my.server.com/messages]
TRANSFORMS-sasourcetype= sa_sourcetypersource

Do I need to create a transforms.conf in the local directory?
do I need to escape the "/" like this "//"

Tags (1)
0 Karma

grijhwani
Motivator

You appear to have a typo in your first source ("sa_sourcetypersouce" should presumably be "sa_sourcetypersource").

You should not need to escape the slashes.

You can create the transform definition wherever you consider appropriate, but if it is specific to the app then the app directory is the obvious place.

0 Karma

hartfoml
Motivator

great thanks: i did correct the typo of which I had a few.

Still not getting the sourcetype "juniper_sa_log"

I have the props.conf in the local directory and the transforms.conf in the default directory. Do you think this is the problem? since this is a search time transform I should not have to restart anything? Do you think i need to add the "priority=" value?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...