All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Symantec Web Security Service App for Splunk Log Files

pjohnson1
Path Finder
‎05-15-2020 03:01 AM

We would like to keep a copy of the log files before they get indexed for long term retention which gets downloaded via the API.

inputs.conf 

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

Maybe something like this?

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll

[monitor://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

View solution in original post

Reply
Solved! Jump to solution
Solution

PavelP
Motivator
‎05-15-2020 04:01 AM

Hello @pjohnson1

yes this will keep zip files in $SPLUNK_HOME/var/spool/splunk, be aware that depending of the log volume the HD space can be fast filled up. It is better to move zip files from the spool directory after indexing somewhere else.

P.S. BTW, if you had issues with WSS this week, like not possible to create WSS input in splunk or logs are coming empty - it is not your fault - it was confirmed by Broadcom support, even if Broadcom status page doesn't mention it: https://wss.status.broadcom.com/

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...