Hi, I have just begun ingesting F5 logs, I am not using the modular inputs component at present and am only seeing ASM logs via syslog. Logs are being sent to a syslog server and file monitoring is set to pull into splunk indexer. But when searching logs the logs dont seem to be separating expected "during index time, the add-on separates the data into more specific source types."
I have an inputs.conf file on the rsyslog server distributed by a universal forwarder.
[monitor:..........]
disabled = 0
host_segment = 5
index=f5
sourcetype= f5:bigip:syslog
I have removed the inputs from the indexer and have added the add-on to the search head as well. Confused as to why the logs are separating. Hoping someone can help
Cheers