Oct 18 08:49:31 X.X.X.80 251188:63:netmgtd:18-Oct-2017 08:49:29.341224:rca_ocptcp.c:655:AUDIT:grpadmin:25.7.4:GUI: Account grpadmin from X.X.X.X to X.X.X.8 logged out. Sourcetype =equal_log Oct 18 07:43:01 X.X.X.80 251003:61:netmgtd:18-Oct-2017 07:42:59.604422:rca_ocp.c:1372:AUDIT:grpadmin:25.7.3:GUI: Account grpadmin logged in from X.X.X.X to X.X.X.8, using local authentication. User privilege is group-admin. Sourcetype =equal_log Oct 18 06:00:52 X.X.X.62 2109:125:VolExec:18-Oct-2017 06:00:50.382206:VE_VolSetWorker.hh:151:WARNING::43.3.5:Volume MAIL has used 1 percent of its local replication reserve. If the in-use space exceeds the local replication reserve (set to 5 percent of the volume reserve), the group will cancel any in-progress replication for the volume. Sourcetype =cisco:ios Above is the latest sample event. From the above events, I have noticed that its parsing correctly the event from equallogic, however, weird thing is I had put a host which ends in x.x.x.8, however, this log from host x.x.x.80 also seems to have parsed in sourcetype :equal_log. How did this happen ? I didnt event mention any wildcard. ... View more

Hi @Damien, Thanks for your input. I found that list very useful. In that list 1514 and 1515 is not mentioned, however, I am already using 1514 for meraki. would it be safe to use 1515 for esx hosts? I am using props.conf / transforms.conf for Equallogic. ... View more

We have data coming directly to Heavy Forwarder, can we still use the above ports ?/ ... View more

I have already tried that option too by removing the "time" input from the "edit" dashboard" layout. But still it doesnt work. So, I just did a test and noticed that "schedule delivery" option becomes available once you remove any kind of input that is there, however, at that point it is not of any use because the dashboard doesnt generate any data as the input itself is not present ... View more

Hi @MuS, I have to set the timezone as stated in the http://wiki.splunk.com/Community:VMwareESXSyslog doc by using below syntax, [host::myesx.splunk.com] TZ=UTC if I have 8 hosts that are named such as, cd.esx1.mail.....cd.esx6.mail and cd.svm1.mail...cd.svm3.mail Can I use the below syntax ? [host::cd.esx*] TZ=UTC [host::cd.svm*] TZ=UTC If not, could you please suggest me the most correct way to use the above syntax ? ... View more

Thanks! this was very useful ... View more

Thanks! @MuS ... View more

just by the sourcetype, which at that time was syslog. Then I configured according to as mentioned above. That is when I stopped getting any logs There is S.H (add on installed with visibility OFF), Indexer (no add-on) and Heavy Forwarder (add-on installed with visbility ON and configured as shown above.) Configured F5 according to splunk docs, Add a remote syslog server using the Configuration utility [https://support.f5.com/csp/article/K13080#CU] Configuring the BIG-IP system to log to the remote syslog server using TCP protocol [https://support.f5.com/csp/article/K13080#tcpsyslog] http://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Setup#Configure_iRules_for_LTM ... View more

Hi @walterk82, When I had set udp port 9514 with sourcetype as syslog on my Heavy Forwarder, it accepted all F5 logs, however, when I configured the inputs according to below, [udp://9514] disabled = false connection_host=ip sourcetype = f5:bigip:syslog [tcp://9515] disabled = false connection_host=ip sourcetype = f5:bigip:syslog I stopped receiving any logs from f5. Please help me with this. ... View more

Hi @BlightMan, This extra ":" you mentioned, was it under the "Set the timezone" section of that page http://wiki.splunk.com/Community:VMwareESXSyslog ? ... View more

Hi @MuS, that link takes to the splunk documentation page. Can you please post the updated link ? Thanks, Deven ... View more

Hi MuS, How to specify the port for configuring syslog in EqualLogic ? There is no option for port. If we just put the IP, which port does it sends to ? From Splunk side, do we need to create a TCP port or UDP port for EqualLogic ? Thanks ... View more

So, I followed your advice and created udp port 514 for ESX logs. I configured everything exactly through instructions give in this link. https://wiki.splunk.com/Community:VMwareESXSyslog But, I am still not getting any logs. Another question, since I cant use Splunk for Vmware app in my scenario. Is there any Vmware app for Splunk in Windows environment ? ... View more

Hi @sideview, Can you please point where exactly the status option is displayed on the Search and Reporting page of Splunk ? Thanks ... View more

Hi @pmakwana, Thanks for that. I was finally able to resolve that issue. ... View more

Hi @walterk82, If I just need to collect logs from LTM, is configuring just the UDP and TCP inputs enough rather than modular inputs of the add-on ? ... View more

ok. thanks! ... View more

So you recommend to install only the add-on ? ... View more

Hi @walterk82 Thanks for your input. So, does that mean it is advisable to install both the F5 Networks - LTM App and Splunk Add-on for F5 BIG-IP to get LTM-F5 logs ? Because, nowhere the documentation states that both app and add-on needs to installed. ... View more

I am configuring this for the Splunk supporting add-on for active directory and I don't seem to find this "update" domain button anywhere on the page. ... View more