short story:
using transforms.conf and/or props, how can i set an event's index value?
Long Story:
I am using two apps, with two UDP listeners, each with the required sourcetype.
Primarily i am capturing firewall info & Snort related. Both of these controls are running on my pfSense gateway. Both the firewall and snort send their logs to the local syslog, which then gets send to my spunk install.
The same syslog is sent to the 2 listeners i have setup, each listener with the corresponding source type. While this works i am assuming it will be impacting my license and resources.
Is the only way for me to get this to work is to use a single UDP syslog stream from my pfSense to Splunk, then use rules from props and transforms to individually set the source type and identity the fields?
many thanks
↧