Re: How do I configure the sourcetype in inputs.co...

brent_weaver · ‎01-05-2016

Hello there..

I am integrating Imperva logs into Splunk. I cannot seem to figure out what to set the sourcetype to in the inputs.conf file. I am using the SIEM connector to gather the logs to my Linux server and then having Splunk pick it up from there. Any help is much appreciated!

brent_weaver · ‎01-05-2016

Hey. I found out that the Splunk App for Incapsula/Imperva is looking for a sourcetype of incapsula. I set it to that and will see what the results are!

I will let you all know. Thanks!

richgalloway · ‎01-05-2016

There is no pre-trained sourcetype for Imperva so you'll have to create your own. You could put "sourcetype=Imperva" in your inputs.conf file and then add a "[Imperva]" stanza to your props.conf file to tell Splunk how to process those logs.

---
If this reply helps you, Karma would be appreciated.

stephanefotso · ‎01-05-2016

Take this as an example. You can put your inputs.conf file in $SPLUNK_HOME$/etc/system/local

[monitor://<path>]
index = myindex
sourcetype = mysourcetype
...
<attrbute> = <val>
<attrbute> = <val>

SGF

How do I configure the sourcetype in inputs.conf to index Incapsula Imperva logs in Splunk?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!