Hi I have a problem with the transform.conf, the logs are not parse from the log source srx_log - to be slit up to eventtype= srx_traffic and srx_threat.
So the app dashboard and so on does not show any data, but the logs are coming in as srx_log
Any suggestions?
Solved, set the traffic log in the srx to structured data.
Thanks Splunk support for the auto combination 😃