Thanks. I downloaded the addon as a .rar file. How do I install that onto Splunk ? README file doesn't tells that. ... View more

Thanks for the link. I read through it. My question now is, how do I point the IronPort to send data to Splunk ? Thanks Ansh ... View more

My entire props.conf reads : [source::udp:514] TRANSFORMS-changesourcetype = riverbed_steelhead, sourcetype_cisco_asa [access_combined] Lookup-hostnames = hostnames ip AS IP OUTPUTNEW Name ... View more

I tried this command., I still get the same error. I also get the error : Possible Typo in the first stanza [access_combined] in props.conf file. ... View more

I tried it and still got the same error. ... View more

Thanks for the reply. I am getting the logs sent to the new source type. I still get that error though. Can I have the logs to go to just the new sourcetype and not to syslogs at all ? Thanks ... View more

I am new to this. First time I am setting up Splunk. I am no where close to being a REGEX Guru. The error that I get is : I get the Error : Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4 Thanks ... View more

One thing I dont understand is, when I restart Splunk, why do I get the typo error ? Is the above change going to make the IP addresses stop using syslog sourcetype and use just the riverbed_steelhead sourcetype ? ... View more

I am figuring it out. I thought the backslash before every dot on the IP address was the right way to do it. I am getting typos for the first line though. Should I specify a source key ? All I need is a way to have 10.10.20.185 use the sourcetype as riverbed_steelhead instead of syslog. ... View more

I am not getting the data in the riverbed_steelhead source type. I get very few messages. 20 out of 8000 messages till now. transforms.conf reads : [riverbed_steelhead] REGEX = (10.12.0.20:10.0.0.33:10.10.20.185) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::riverbed_steelhead Props.conf reads : [source::udp:514] TRANSFORMS-riverbed_src = riverbed_steelhead ... View more

there is a backslash before each ".", which for some reason is not showing up when I type it here. ... View more

I also tried : [10.12.0.20|10.0.0.33) and that did not work either. I dont understand the typo in the first line. ... View more

I have a similar problem. I am trying get the three IP addresses to use a new sourcetye when they send in data. Props.conf reads : [source::udp:514] TRANSFORMS-riverbed_src = riverbed_steelhead TRANSFORMS-changesourcetype = sourcetype_cisco_asa transforms.conf reads : [riverbed_steelhead] REGEX = (10.12.0.20:10.0.0.33:10.10.20.185) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::riverbed_steelhead [sourcetype_cisco_asa] REGEX = (10.12.254.1:10.10.20.254:10.1.250.254) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::cisco_asa I get the Error : Possible typo in stanza [riverbed_steelhead] in transforms.conf. Line 4 Possible typo in stanza [sourcetype_cisco_asa] in transforms.conf. Line 10 Can someone help me find my problem please. FYI : I also tried the format : REGEX = (10.\12.0.20|10.0.0.33|10.10.20.185) ... View more

I added the Transforms commands to the props.conf file in Local Directory. I also tried to change Riverbed_src = riverbed_steelhead. I dont see that index being populated though. ... View more

The Devices are directly sending Syslogs to Splunk with UDP. I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data. I need to know how to get that data into the App. Can I point to the devices ? Thanks ... View more

The Devices are directly sending Syslogs to Splunk with UDP. I can see the data in the Syslog Sourcetype, but when I go to the RiverBed app, I dont see any data. I need to know how to get that data into the App. Can I point to the devices ? Thanks ... View more

Great. Thanks for your help. ... View more

Thanks for the answer, but I still cannot find the fields. Is there a syntax that I need to put in ? Can you give me an example of it ? Thanks ... View more