I've got an SRX 220, set to spit out logs to the Splunk. Events Indexed is at 2,475 and climbing over the last 4 hours. In troubleshooting the config, I made a couple of edits related to the inputs.conf file, so I'd to ensure that these are correct.
My issues is that when I go into the App: Splunk for Juniper SRX, regardless if I go to the y the Traffic Dashboard or the Application Dashboard, I'm receiving No results found. Inspect...
I'm not sure if I've banged up the config within Splunk, or if I'm not sending the correct data out of the SRX. Any help would be greatly appreciated.
The sourcetype needs to be "srx_log".
The README file specifically mentions this. The data comes in as srx_log and then gets split into two other sourcetypes "srx_threat" and "srx_traffic". You can see this by going to the app and looking at the file in default called props.conf, transforms.conf and macros.conf.
In macros.conf you will see the base macros are expecting your data to have certain sourcetypes. All of the other searches are based off of this.
Version 6.1
search sourcetype=syslog results in page with a left column and main view. The left column is filled with Seclected Fields, host (7) / source (1) / sourcetype (1), followed below by Interesting Fields: Date_hour, Date_mday, date_minute, date_month, etc.
My main view window lists i, time and event columns, with a slew of info within those columns.
What version of Splunk?
Also, can you tell us what you see if you just go to the search app and type in a search sourcetype=syslog?