The documentation for SplunkforSymantec state:
After downloading the app and going through the set up process, you still need to install either the Symantec 11 Technology Add-on or Symantec 12 Technology Add-on. If you are currently running both products, you should install both TAs. They are included with this app in the appserver/addons directory.
How do you install the TA?
Also in the /opt/splunk/etc/apps/SplunkforSymantec/appserver/addons/TA-sepapp12/README there are references to:
$SPLUNKHOME/etc/apps/TA-sep/default/inputs.conf.local To the following location: $SPLUNKHOME/etc/apps/TA-sep/local/inputs.conf
These locations do not exist!
I have the similar issue - can anyone elaborate on the installation instructions? I have a couple of forwarders, and a couple of indexers and a search head (all on different machines). As I understood, I am required to install the TA on the indexers - how does one achieve that? I dont see any option for spl or tgz file.
I'm having a similar issue. I am seeing events form the symantec server in the data. I do not see the Symantec Plugin recognizing that data. I've located the TA for sep11 and sep12 in /opt/splunk/etc/apps/SplunkforSymantec/appserver/addons but there are no tgz or spl file to install.