I have tested the EVAL statement as provided in the transforms.conf at seaech time and it is working fine. But the new fields that i want to add from the csv file is not getting appended to the logs that are getting ingested on a match dst_ip field of log with the dst_ip field of csv. From the documentation i came to know that i have to configure fields.conf also. I have configured the same with INDEXED=true for the new field that i want to append to the logs. But still the logs are not appended with the new fields.  i followed the link https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction#Define_additional_indexed_fields . this shows to append new fields to the logs based on extraction from the actual log. What i actually require is that i want the logs to be appended with fields from my csv file. Can you please guide us in configuring the props.conf and transforms.conf properly such that the logs are enriched with fields from the csv file for match. thanks and regards ... View more

There is no need to install Splunk Enterprise and Universal Forwarder on the same server.  It can be done, but requires special effort with little gain.  Splunk Enterprise is capable of everything the UF does. 1) Put the UF on the syslog server and SE on separate servers. 2) The receiver address is that of Splunk.  It's the server that will receive data from the UF. 3) Which Microsoft add-on?  There are several and most are not needed. 4) Configure syslog to save events to disk files.  Configure the UF (in inputs.conf) to monitor those disk files. ... View more