Hello Everyone, Has anyone managed to integrate riverbed steelhead NMS with splunk? It has an app and an addon. Where i am stuck is getting data from the riverbed into the splunk. I cannot seem to find where the settings are to forward the riverbed logs into splunk. The manuals are useless as they dont have an option for it. The machine which hosts it is a windows server. So will it help if i setup a universal forwarder on the windows server perhaps?
The last Supported Version of Splunk the Add-on/Apps were validated against were Splunk 5.0. Unfortunately the Add-on/App is not viable for use with Splunk 6.x or Splunk 7.x.
Also you can try sending data on UDP 514.
Can i take those configs from prop and transform.conf from the file i downloaded from splunk to create my own source type and then somehow use the universal forwarder to forward data from the software on to the server? Is that a possibility? Because when i checked on the app version, it is only 10 saved searches for the dashboard. so i was wondering if it would be a possibility to create the source types and somehow use the uf to send the data in. The contents of the prop.conf and transform.conf are like below/.
Props > ## Riverbed Steelhead Technology Add-On - default/props.conf > > TRANSFORMS-riverbed_src = riverbed_src Transform > ## Riverbed Steelhead Technology Add-On - default/transforms.conf > > # This expressions looks for Steelhead format logs that fit the format. > # While it may not be unique to the Steelhead, it's a pretty good place to > start off. > > [riverbed_src] REGEX = > ([a-z]+)((\[\d+\])|): \[([A-Za-z0-9/_\ > \.:]+)\.(INFO|NOTICE|WARN|ALERT|ERR|CRIT|EMER)\] > DEST_KEY = MetaData:Sourcetype FORMAT > = sourcetype::riverbed_steelhead > > # This transform exists to send INFO events over to another index. > # Steelheads in informational mode generate a metric ton of traffic. > > [riverbed_info] REGEX = > ([a-z]+)((\[\d+\])|): \[([A-Za-z0-9/_\ > \.:]+)\.(INFO)\] DEST_KEY = > _MetaData:Index FORMAT = riverbed_info > > [riverbed_notice] REGEX = > ([a-z]+)((\[\d+\])|): \[([A-Za-z0-9/_\ > \.:]+)\.(NOTICE)\] DEST_KEY = > _MetaData:Index FORMAT = riverbed_notice