Hi,
I've added the Symantec Endpoint Reporting App, but nothing is showing up in the dash.
I've setup logs to be transferred via UDP:515. If I search for data using sourcetype=sep11:log or source=udp:515 I can see all of the data so it's obviously going to splunk. Reading other questions, do I need to change the index? currently the index for the entries is showing as main. If I need to can someone guide me through it.
Im new to splunk so please be gentle.
I actually suggest you install this app instead - http://splunk-base.splunk.com/apps/74435/splunk-for-symantec - Mine is outdated and hasn't been updated in a long time.
Brian
Hi, i have exactly the same problem, did you you solve it ?
I found that the sub-sourcetype defined in props.conf and transform.conf are not applied.
Any clue ?
I actually suggest you install this app instead - http://splunk-base.splunk.com/apps/74435/splunk-for-symantec - Mine is outdated and hasn't been updated in a long time.
Brian