I browsed directories ./SplunkforSymantec/default/ and ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/
The files in those directories almost identical.
So If I want to install SplunkforSymantec on the single Splunk instance and want to get data by syslog, I don't have to install TA-sepapp11. Is it right?
I only need to create./SplunkforSymantec/local/inputs.conf with content:
I doubt about the string:
In the file ./SplunkforSymantec/appserver/addons/TA-sepapp11/default/inputs.conf I see:
## A default listener
# Leave as sep; subsequent transforms will revise to correct sub-sourcetype. Anything
# searchable with sourectype of sep is an error