Hi folks,
I’m having an issue getting Juniper logs to show the correct sourcetype. Right now they simply all show up as “sourcetype=juniper”, instead of the expected ones like “juniper:junos:firewall”. I have the Splunk Juniper app installed, and the input selected to use the juniper sourcetype, so the right props/transforms should be breaking down more sub-sourcetypes. Am I missing a step? Thanks!
Did you install the Juniper add-on? It must be installed on the search head as well as the indexer or HF (whichever touches the data first).