Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I configure the sourcetype in inputs.conf to index Incapsula Imperva logs in Splunk?

brent_weaver
Builder
‎01-05-2016 04:34 AM

Hello there..

I am integrating Imperva logs into Splunk. I cannot seem to figure out what to set the sourcetype to in the inputs.conf file. I am using the SIEM connector to gather the logs to my Linux server and then having Splunk pick it up from there. Any help is much appreciated!

0 Karma
Reply

brent_weaver
Builder
‎01-05-2016 11:19 AM

Hey. I found out that the Splunk App for Incapsula/Imperva is looking for a sourcetype of incapsula. I set it to that and will see what the results are!

I will let you all know. Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-05-2016 05:40 AM

There is no pre-trained sourcetype for Imperva so you'll have to create your own. You could put "sourcetype=Imperva" in your inputs.conf file and then add a "[Imperva]" stanza to your props.conf file to tell Splunk how to process those logs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

stephanefotso
Motivator
‎01-05-2016 05:36 AM

Take this as an example. You can put your inputs.conf file in $SPLUNK_HOME$/etc/system/local

[monitor://<path>]
index = myindex
sourcetype = mysourcetype
...
<attrbute> = <val>
<attrbute> = <val>
SGF
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...