I'm new to splunk and I'd like to use this app with a file as data input and not a port on the splunk server. I'm already running an instance of rsyslog and I don't want splunk to retrieve log directly. How can I do this (if possible)?
asked 12 Aug '10, 20:35
You can add your files that rsyslog is storing to a "monitor://" stanza in $SPLUNK_HOME/etc/system/local/inputs.conf, just use the same sourcetype as the Cisco Firewall app is expecting. This would look something like:
answered 12 Aug '10, 20:56