All Apps and Add-ons

Splunk with Riverbed steel head technology

ranjitbrhm1
Communicator

Hello Everyone, Has anyone managed to integrate riverbed steelhead NMS with splunk? It has an app and an addon. Where i am stuck is getting data from the riverbed into the splunk. I cannot seem to find where the settings are to forward the riverbed logs into splunk. The manuals are useless as they dont have an option for it. The machine which hosts it is a windows server. So will it help if i setup a universal forwarder on the windows server perhaps?
Thanks

0 Karma

p_gurav
Champion

The last Supported Version of Splunk the Add-on/Apps were validated against were Splunk 5.0. Unfortunately the Add-on/App is not viable for use with Splunk 6.x or Splunk 7.x.

Also you can try sending data on UDP 514.

0 Karma

ranjitbrhm1
Communicator

Can i take those configs from prop and transform.conf from the file i downloaded from splunk to create my own source type and then somehow use the universal forwarder to forward data from the software on to the server? Is that a possibility? Because when i checked on the app version, it is only 10 saved searches for the dashboard. so i was wondering if it would be a possibility to create the source types and somehow use the uf to send the data in. The contents of the prop.conf and transform.conf are like below/.

Props

> ## Riverbed Steelhead Technology Add-On - default/props.conf
> 
> TRANSFORMS-riverbed_src = riverbed_src


Transform

> ## Riverbed Steelhead Technology Add-On - default/transforms.conf
> 
> # This expressions looks for Steelhead format logs that fit the format.
> # While it may not be unique to the Steelhead, it's a pretty good place to
> start off.
> 
> [riverbed_src] REGEX =
> ([a-z]+)((\[\d+\])|): \[([A-Za-z0-9/_\
> \.:]+)\.(INFO|NOTICE|WARN|ALERT|ERR|CRIT|EMER)\]
> DEST_KEY = MetaData:Sourcetype FORMAT
> = sourcetype::riverbed_steelhead
> 
> # This transform exists to send INFO events over to another index.
> # Steelheads in informational mode generate a metric ton of traffic.
> 
> [riverbed_info] REGEX =
> ([a-z]+)((\[\d+\])|): \[([A-Za-z0-9/_\
> \.:]+)\.(INFO)\] DEST_KEY =
> _MetaData:Index FORMAT = riverbed_info
> 
> [riverbed_notice] REGEX =
> ([a-z]+)((\[\d+\])|): \[([A-Za-z0-9/_\
> \.:]+)\.(NOTICE)\] DEST_KEY =
> _MetaData:Index FORMAT = riverbed_notice
0 Karma

p_gurav
Champion

Yes you can do this but it will be trial and error.

0 Karma

ranjitbrhm1
Communicator

Thanks gourav. BTW will it crash my HF if i do some mistake on the files? Like for instance not processing other Source types etc?

0 Karma

p_gurav
Champion

Its always best practice to do it in test environment instead production. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...