How do I configure the sourcetype in inputs.conf t...

brent_weaver · ‎01-05-2016

Hello there..

I am integrating Imperva logs into Splunk. I cannot seem to figure out what to set the sourcetype to in the inputs.conf file. I am using the SIEM connector to gather the logs to my Linux server and then having Splunk pick it up from there. Any help is much appreciated!

brent_weaver · ‎01-05-2016

Hey. I found out that the Splunk App for Incapsula/Imperva is looking for a sourcetype of incapsula. I set it to that and will see what the results are!

I will let you all know. Thanks!

richgalloway · ‎01-05-2016

There is no pre-trained sourcetype for Imperva so you'll have to create your own. You could put "sourcetype=Imperva" in your inputs.conf file and then add a "[Imperva]" stanza to your props.conf file to tell Splunk how to process those logs.

---
If this reply helps you, Karma would be appreciated.

stephanefotso · ‎01-05-2016

Take this as an example. You can put your inputs.conf file in $SPLUNK_HOME$/etc/system/local

[monitor://<path>]
index = myindex
sourcetype = mysourcetype
...
<attrbute> = <val>
<attrbute> = <val>

SGF

How do I configure the sourcetype in inputs.conf to index Incapsula Imperva logs in Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation