Hello team, Am working with dovecot logs-- it's a mail logs. I managed to integrate it with Splunk through syslog. it gives me the logs in this format (Attached screenshot) Now, I want to create a new field to have value of to/receiver From the screenshot the value of to/receiver is in lda(value) NOTE: on the below screenshot I dont have to/receiver values i just have from/sender and subject   Help me please ! ... View more

We are in the process of data onboarding. We managed to deploy a distributed architecture in which we have 3 indexers, 3 search, mastercluster, deployer, deployment, and 2 intermediate forwarders. On my syslog server, I receive logs from the firewall through syslog port 10514 and I managed to install a forwarder into my syslog server connected to my deployment server.  and on my forwarder configuration file, I connect to all 2 intermediate forwarders Now help me to finish this task, how can I manage to see the firewall logs in my Splunk? What do you think I should edit into my syslog server? Please remember I don't write the syslog logs(firewall) into a file. Its onstream logs My forwarder inputs.conf file| [udp://514] connection_host = ip index = tcra_firewall_idx sourcetype = tcra:syslog:log ... View more