Hi Hunter,
Thank you for the response. I should clarify that I'm more-so a newbie with administration and data handling, rather than being a user of Splunk and its resources within the web interface.
I have a bit better grasp on how the architecture will be setup. I do have a question about data ingestion though. Can you point me in the right direction if I want to accomplish the following tasks:
I want to receive data from a Cisco ASA FW for VPN logging purposes. This data comes in with different formats depending on the VPN log.
I want to have each uniquely formatted VPN log indexed as a separate sourcetype. How is this possible and where do I start making config changes to accomplish this?
Furthermore, I want to ingest more VPN data from another Cisco ASA FW but I need to tag this data in a way that it is separate from the first Cisco FW. I'd prefer to have it tagged with a custom ID, rather than differentiating by the 'host' or 'source' field. If this is done through specific config files, can you point out which ones and which locations?
Thank you!
Bobby
... View more