Hi to all.
im setting an integration with Splunk and Splunk ES.
I decided to send events via HEC method json format.
I understand that in order to accept the events in Splunk ES i need to do 2 things.
1. build an Add on for parsing the info
2. load the data in data model.
ill be happy to have several answers :
1. do i need to send the events via CEF Syslog or json format is good enough ?
2. what is the standard event we should send to Splunk? json, Syslog? CEF?
ill be happy for you to explain the process for building an add on, how to load in data modal - CIM
thanks to all
Hi
what you are meaning with "integration with Splunk and Splunk ES"? You don't have those one the same environment, when there is no need for separate integration?
r. Ismo