I was wondering where should I click to access this: /etc/system/default
I need to edit
Hi @guentnergroup ,
Always create a config in the local directory. Never touch the config in the default directory.
You can create and edit props and transforms in two places.
1)Either create a props & trasforms in /etc/system/local
2) Are create a App in /etc/apps/<appname>/local/ and edit the files here.
Thanks both, but my question is where to do that? From GUI? Where should I click to access these locations: /etc/system/default or /etc/apps/<appname>/local/
I am using this software for the first time, so I don't have experience with it.
Hi @guentnergroup ,
There won't be any location paths in the GUI like /etc/default.
If you want to edit props&transforms.conf.Navigate to settings->fields. And edit the required changes there.
While editing any extractions it will ask for the location for saving those. You can select any app from the dropdown. And the extractions will save in that app.
My suggestion is without having any experience don't touch the props&transforms.conf. You can always read the docs and understand it and then edit the conf files.
When you are using GUI for modifying those "files" you are always editing local version of those, never those which are under default.
Then next question is which app's version you are editing?
Actual place is depending which kind of roles you have? Have you role which can deploy anything to those apps or have you as normal user which haven't power to write under .../etc/apps/XXXX. If you haven't that power then all those are stored under ..../etc/users/<your id>/<App X>/...
If you have power to deploy those under real apps and change that permission to Apps or Global then those are written to .../etc/apps/<App X>/local/
You could found more from docs by looking configuration file precedences.
So my problem is that I have to put different "source type" under UDP port 514.
Because I have Fortigates, Cisco, Cisco ISE... and all of them uses different "source type". And when I ask is it possible to just add multiple "source types" the sales guy from Splunk gave me these two links:
You could follow those instructions to get different sourcetypes to those feeds. But much better and safe way is to use separate syslog server to terminate syslog feeds. Terminating those to splunk leads always to lose more or less events than using real syslog servers.
You should chose definitely linux platform to run it. Then chose a syslog software is more what you like. I think that rsyslog or syslog-ng are both quite equal to run. Configurations are different but both works. There are also Splunk's SC4S which is "ready to run" syslog installation.