in the 2.0.0 version of the TA there is a Readme folder that explains the input.conf stanza.
also keep in mind you need to hardcode the index in inputs.conf
in the README folder the inputs.conf.spec shows all parameters that can be configured in inputs.conf
[scwss-poll://<name>]
apiusername = <value>
*Cloud-driven Web Security Service API Username
apikey = <value>
*Cloud-driven Web Security Service API Key
start_time = <value>
*Data-collection start-time
* HTTPS proxy server address
https_proxy = <value>
* HTTPS proxy server port
https_proxy_port = <value>
* HTTPS proxy server username
https_proxy_username = <value>
* HTTPS proxy server password
https_proxy_password = <value>
python.version = <value>
the default or LOCAL inputs.conf contains:
***** please note index needs hardcoded in inputs.conf as index="wss" or logs end up in main****
[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
So what would a Complete stanza look like?
i.e. hardcoded to /TA-SymantecWebSecurityService/default/inputs.conf
[scwss-poll://<name>]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3
apiusername = <value>
*Cloud-driven Web Security Service API Username
apikey = <value>
*Cloud-driven Web Security Service API Key
start_time = <value>
*Data-collection start-time
* HTTPS proxy server address
https_proxy = <value>
* HTTPS proxy server port
https_proxy_port = <value>
* HTTPS proxy server username
https_proxy_username = <value>
* HTTPS proxy server password
https_proxy_password = <value>
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
in the 2.0.0 version of the TA there is a Readme folder that explains the input.conf stanza.
also keep in mind you need to hardcode the index in inputs.conf
in the README folder the inputs.conf.spec shows all parameters that can be configured in inputs.conf
[scwss-poll://<name>]
apiusername = <value>
*Cloud-driven Web Security Service API Username
apikey = <value>
*Cloud-driven Web Security Service API Key
start_time = <value>
*Data-collection start-time
* HTTPS proxy server address
https_proxy = <value>
* HTTPS proxy server port
https_proxy_port = <value>
* HTTPS proxy server username
https_proxy_username = <value>
* HTTPS proxy server password
https_proxy_password = <value>
python.version = <value>
the default or LOCAL inputs.conf contains:
***** please note index needs hardcoded in inputs.conf as index="wss" or logs end up in main****
[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
So what would a Complete stanza look like?
i.e. hardcoded to /TA-SymantecWebSecurityService/default/inputs.conf
[scwss-poll://<name>]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3
apiusername = <value>
*Cloud-driven Web Security Service API Username
apikey = <value>
*Cloud-driven Web Security Service API Key
start_time = <value>
*Data-collection start-time
* HTTPS proxy server address
https_proxy = <value>
* HTTPS proxy server port
https_proxy_port = <value>
* HTTPS proxy server username
https_proxy_username = <value>
* HTTPS proxy server password
https_proxy_password = <value>
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole
