Refine your search:

The App doesn't seem to track back to the data from the Juniper logs. Our data is source="syslog" from our Juniper boxes, how do we tie this back to the Junipe SA App for the field extractions?

asked 07 Nov '12, 18:27

e3splunk's gravatar image

e3splunk
1
accept rate: 0%


2 Answers:

The Juniper SA app expects the sourcetype of the data (for field extractions, etc) to work to be "juniper_sa_log". If you've got it branded as "syslog", then the rules that apply to the Juniper SA app won't be triggered. You can consider renaming the sourcetype if the Juniper data is the only thing coming in from syslog. Otherwise, you'll want to apply the "sa_sourcetyper_rule" to your incoming data. The existing rule looks like this:

[source::udp:514]
TRANSFORMS-sasourcetype = sa_sourcetyper

You'll want to write something like this in your props.conf:

[syslog]
TRANSFORMS-sasourcetype = sa_sourcetyper
link

answered 07 Nov '12, 19:22

sowings's gravatar image

sowings
6.0k310
accept rate: 32%

i've renammed the sourcetype for our juniper SA log, we had it be "vpnssl", so i renammed it for "juniper_sa_log", but the data is still not showing as expected in juniper-SA app's dashboard and searches, is there a kind of manual that i could get my hands on?

link

answered 10 Jul '13, 07:29

secinfo's gravatar image

secinfo
111
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×137

Asked: 07 Nov '12, 18:27

Seen: 715 times

Last updated: 10 Jul '13, 07:29

Copyright © 2005-2014 Splunk Inc. All rights reserved.