So basically, I have a ton of events coming in on UDP 514. Based on the document linked below, I was able
to configure my Sourcetype Overrides so not everything comes in as "Palo Alto". However, now my 3PAR Storage Array logs are coming in as:
sourcetype = 3par_array
index = network
I'd like to override my Index field based on the Regex I configured for Sourcetype Overrides, however Splunk says that "DestKey = Index" is undefined. Could someone please help me out?
http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/Advancedsourcetypeoverrides
It is poor practice to syslog directly into Splunk; you should use a Universal Forwarder with a syslog aggregator as described here:
You misunderstand me; the Heavy Forwarder should be a Universal Forwarder and should be running syslog-ng with a filter for each appliance to filter out the sourcetypes to disk directories.
@woodcock - This is routing to the Heavy Forwarder and being parsed there; this is an appliance that can not have a Universal Forwarder on it, similar to a Palo Alto firewall.
@somesoni2 - That did the trick, thank you.