How do I configure the sourcetype in inputs.conf t...

brent_weaver · ‎01-05-2016

Hello there..

I am integrating Imperva logs into Splunk. I cannot seem to figure out what to set the sourcetype to in the inputs.conf file. I am using the SIEM connector to gather the logs to my Linux server and then having Splunk pick it up from there. Any help is much appreciated!

brent_weaver · ‎01-05-2016

Hey. I found out that the Splunk App for Incapsula/Imperva is looking for a sourcetype of incapsula. I set it to that and will see what the results are!

I will let you all know. Thanks!

richgalloway · ‎01-05-2016

There is no pre-trained sourcetype for Imperva so you'll have to create your own. You could put "sourcetype=Imperva" in your inputs.conf file and then add a "[Imperva]" stanza to your props.conf file to tell Splunk how to process those logs.

---
If this reply helps you, Karma would be appreciated.

stephanefotso · ‎01-05-2016

Take this as an example. You can put your inputs.conf file in $SPLUNK_HOME$/etc/system/local

[monitor://<path>]
index = myindex
sourcetype = mysourcetype
...
<attrbute> = <val>
<attrbute> = <val>

SGF

How do I configure the sourcetype in inputs.conf to index Incapsula Imperva logs in Splunk?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How do I configure the sourcetype in inputs.conf to index Incapsula Imperva logs in Splunk?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits