i'm running splunk 4.2.1 i need to take windows log by snare agent. When i create a data input and select souce type i can't see windows_snare_syslog choice.
help me plz
the support solution go well
You should have a props.conf file in SPLUNK_HOME/etc/apps/legacy/default/
You should find a stanza that looks like this...
pulldown_type = true
Make sure pulldown_type is set to true
If the sourcetype you want doesn't appear in the dropdown list, you can select "Manual" under "Set sourcetype", and then type in windows_snare_syslog directly.