I would like to use the EMC Isilon Add-on for Splunk Enterprise, but I don't want the add-onto query my device for any logs.
I am currently sending the Isilon logs to a folder on the Splunk forwarder through Syslog. I created a local folder in the add-on folder and create an inputs.conf file with the following information;
[monitor://C:\logs\Isilon]
disable = false
sourcetype = EMC:Isilon:rest
I do receive logs, but the parsed fields are minimal. Basically it passes host, index, event type, sourcetype, line count, and the basics, probably about 10 fields altogether. I believe there are more fields to be parsed, but because of the changes I have made, I have bypassed the script so I feel that's why more fields aren't being parsed.
Does anyone know the app properly and can tell me what to do to get the other fields parsed just as the app was intended?
Thanks,
↧