https://splunkbase.splunk.com/app/4366/
I'm just using the default
Splunk_TA_citrix_netscaler_Enosys/default/props.conf
cat Splunk_TA_citrix_netscaler_Enosys/default/app.conf | grep -i version
This Add-on version 1.1 works only when Citrix Netscaler syslog is forwarded to Splunk SIEM via Splunk Heavy Forwarder, Splunk Enterprise or Splunk Cloud.
version = 1.1
clip of the sourcetype
[citrix:netscaler:syslog]
KV_MODE=none
SHOULD_LINEMERGE = false
REPORT-citrix_netscaler_syslog = citrix_netscaler_syslog,netscaler_syslog_quoted_fields,netscaler_syslog_unquoted_fields
EXTRACT-1-syslog_event_name = \s+[\d\/]{10}(:\d{2}){3}\s+\w{3}\s+\S+\s+\S+\s+:([^:]+)?\s+\w+\s+(?\w+)\s+\d+\s+0\s+:\s+.+
EVAL-bytes = Total_bytes_recv+Total_bytes_send
EVAL-dest_ip = mvindex(split(Destination,":"),0)
EVAL-dest_port = mvindex(split(Destination,":"),1)
EVAL-src_ip = mvindex(split(Source,":"),0)
EVAL-src_port = mvindex(split(Source,":"),1)
EVAL-vendor = "Citrix Systems"
FIELDALIAS-cim_builder = event_source AS app User AS user Total_bytes_recv AS bytes_in Total_bytes_send AS bytes_out ns_name AS dvc
EVAL-dest = if(isnull(Destination),if(match(event_name,".CONNSTAT$"),Remote_ip,if(match(event_name,"^LOG(IN|OUT)."),host,mvindex(split(Destination,":"),0))),mvindex(split(Destination,":"),0))
EVAL-duration = (strptime(Duration,"%H:%M:%S")-strptime("00:00:00","%H:%M:%S"))*1000
EVAL-src = if(isnull(Source),Client_ip,mvindex(split(Source,":"),0))
FIELDALIAS-device_serial_number_chassis = device_serial_number AS chassis
EVAL-action = case(match(event_name,".*CONNSTAT$"), "allowed", match(event_name,"^LOG(IN|OUT)$"), "success", match(event_name,"LOGIN_FAILED"), "failure")
... View more