All Apps and Add-ons

data onboarding for app installed on distributed system

ranjitbrhm1
Communicator

Hello All, I am planning to install the sonic wall app on my splunk distrbuted system. I have a heavy forwarder feeding off a syslog NG server. When i point the firewall to the syslog Ng data is flowing in. I am stuck at how to on board the data. Like for instance what do i choose for the following keeping in mind that the heavy forwarder is feeding data to 2 indexers and the application is situated on the search head.
1. What is the source type that i have to select
2. What is the app context
3. what is the index that i have to select?
The reason for this doubt is because on a standalone system where everything is together i just install the app and select the right settings according the applications but here the search head is on another server and the HF just feeds data on to the indexer.

0 Karma

tiagofbmm
Influencer

Hi

This case works similar to the standalone one. You just need to create an inputs.conf to monitor the log files you are generating with the syslog.

The proper sourcetype is also in the Splunk Sonicwall all, in the props.conf, so your configuration in the HF should be something like

Inputs.conf in $SPLUNK_HOME/etc/apps/sonicwall/local/Inputs.conf

[monitor:《yourlogsdir》]
Index=yourindex
sourcetype=the one in props.conf

You also need to create the index in all the indexers.

And finally you need to configure outputs.conf to send the data to the indexers.

Note also that If the Sonicwall sourcetype you use has search time extractions then you need to put it in the search heads

0 Karma

tiagofbmm
Influencer

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma

net1993
Path Finder

hi
Why it is reqired the last thing with search time field extraction. Can you please explain more ?

0 Karma

tiagofbmm
Influencer

Mistake. There to be need for it to be on indexers

0 Karma

net1993
Path Finder

Dont understand .
"Note also that If the Sonicwall sourcetype you use has search time extractions then you need to put it in the search heads ".
Why need to put on the indexers?
Just can you explain the whole sentence..?

0 Karma

tiagofbmm
Influencer

As you just wrote... It's in the search heads, not in the Indexers. And like I said before, Indexers was a mistake and I replaced it by search heads, like you just copied and paste

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...