Thanks for the answer and the documentation references. I have implemented this via splunkweb and it is not working. Reviewing the documentation, it is clear that the sourcetype must be associated with the incoming data stream. However, this log come from a forwarder, so I find no way within splunkweb to make this association. Do i need to directly edit the forwarder conf file? If so, is it the same configuration you provided? Thanks for the help, and sorry for the slow reply, this work is 3rd priority and doesn't get as much time as it should.
... View more