I'm new to splunk and I'd like to use this app with a file as data input and not a port on the splunk server.
I'm already running an instance of rsyslog and I don't want splunk to retrieve log directly.
How can I do this (if possible)?
You can add your files that rsyslog is storing to a "monitor://" stanza in $SPLUNK_HOME/etc/system/local/inputs.conf, just use the same sourcetype as the Cisco Firewall app is expecting. This would look something like: