I am integrating Imperva logs into Splunk. I cannot seem to figure out what to set the sourcetype to in the inputs.conf file. I am using the SIEM connector to gather the logs to my Linux server and then having Splunk pick it up from there. Any help is much appreciated!
Hey. I found out that the Splunk App for Incapsula/Imperva is looking for a sourcetype of incapsula. I set it to that and will see what the results are!
I will let you all know. Thanks!
There is no pre-trained sourcetype for Imperva so you'll have to create your own. You could put "sourcetype=Imperva" in your inputs.conf file and then add a "[Imperva]" stanza to your props.conf file to tell Splunk how to process those logs.
Take this as an example. You can put your inputs.conf file in $SPLUNK_HOME$/etc/system/local
[monitor://<path>] index = myindex sourcetype = mysourcetype ... <attrbute> = <val> <attrbute> = <val>