I'm about to install the Cisco Networks App and Add-On into our environment, and I'm a bit new with Splunk. What has me a bit concerned are these two stanzas in the props.conf:
[syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios, force_sourcetype_for_cisco_ios-xr, force_sourcetype_for_cisco_ios-xe
# VERY experimental for RFC5424 support
[rfc5424_syslog]
TRANSFORMS-force_sourcetype_for_cisco_ios = force_sourcetype_for_cisco_ios-rfc5424
Do I have it right - that these will perform index-time changes to any records with "syslog" and "rfc5424-syslog" types? Changing them to "cisco:asa"?
I'm not certain that I won't end up with "syslog" records which **aren't** related to the Cisco IOS. Could I instead just set the sourcetype manually for the input, and then remove the above from the config?
↧