Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog Configuration required for custom sourcetypes

msatish
Path Finder
‎04-28-2025 04:32 AM

I think Splunk doesn't have a built-in/defined sourcetype for ExtremeCloud XIQ logs. Can we define a custom sourcetype, like `extremecloud:xiq`, in the syslog server(splunk_metadata.csv)? If so, how do we make sure the logs coming from ExtremeCloud XIQ platform land in the "extreme" index and use the "extremecloud:xiq" sourcetype?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-28-2025 04:55 AM

Hi @msatish 

Just to confirm - are you using SC4S? 

I am not familiar with ExtremeCloud XIQ and it isnt a "known product" to SC4S however we should still be able to update splunk_metadata.csv.

Do you know if the data is being sent in CEF format? If possible please could you provide a couple of lines of your events to help us work out the correct values for the splunk_metadata.csv file?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

dionrivera
Communicator
‎05-06-2025 02:38 PM

The following link provides the common format for CEF log format, assuming that's your format.

https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/#splunk-metadata-with-cef-e...

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-28-2025 10:58 PM

@msatish- Yes you can always define your own sourcetype & your own custom index that you want any data to fall into.

 

But as @livehybrid is asking you can need to figure-out how you are collecting the data & which format of the logs so you can figure-out from which config file & where you can apply the new sourcetype & index. And you also need to put props.conf configuration (Parsing, Timestamp extraction, Field Extraction, etc.) for your custom sourcetype.

 

And make sure index is created on your indexers before you start pushing the data into your custom index.

 

I hope this helps!!!

Reply
Solved! Jump to solution

msatish
Path Finder
‎06-17-2025 02:45 AM

@VatsalJagani / @livehybrid  https://apps.splunk.com/app/1780/.-Does this EXOS app still help in parsing? or is it outdated one?  Is EXOS an Extreme old operating system?

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-18-2025 10:14 PM

@msatish - As mentioned by @dionrivera you can use SC4S CEF for parsing.

 

But if you want to parse the already ingested CEF formatted data in Splunk then you can use this App's custom search command to do that.

https://splunkbase.splunk.com/app/7701

 

0 Karma
Reply
Solved! Jump to solution

dionrivera
Communicator
‎05-06-2025 02:38 PM

The following link provides the common format for CEF log format, assuming that's your format.

https://splunk.github.io/splunk-connect-for-syslog/main/sources/base/cef/#splunk-metadata-with-cef-e...

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎04-28-2025 04:55 AM

Hi @msatish 

Just to confirm - are you using SC4S? 

I am not familiar with ExtremeCloud XIQ and it isnt a "known product" to SC4S however we should still be able to update splunk_metadata.csv.

Do you know if the data is being sent in CEF format? If possible please could you provide a couple of lines of your events to help us work out the correct values for the splunk_metadata.csv file?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

msatish
Path Finder
‎05-30-2025 02:34 AM

@livehybrid 

Yes, logs needs to be forwarded to SC4S. ExtremeCloud IQ will be sending logs in the legacy SYSLOG format RFC3164. Can we use app parser configuration file on the syslog server where we plan to receive Extreme AP logs in the legacy SYSLOG format RFC3164. Will this help in normalizing the data received from Extreme AP when tweaked as per log sample .

Here is the resource I am referring to:

https://splunk.github.io/splunk-connect-for-syslog/main/sources/

 

Also, should we need an add on or app to be installed or just defining app_parser conf file in Syslog help ?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...