Configuring the Universal Forwarder
- Complete the following steps on the computer that is running the VIP Report Streaming Service reference client to configure your Splunk Universal Forwarder:
- Using a standard text editor, create a text file namedprops.conf. Copy the following text into that file and save it:# Version 7.3.0 [splunkd] EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*) \s+(?P<component>[^ ]+) - (?P<event_message>.+) [scheduler] EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*) \s+(?P<component>[^ ]+) - (?P<event_message>.+) [splunk_web_service] EXTRACT-useragent = userAgent=(?P<browser>[^ (]+) [vip_api] DATETIME_CONFIG = KV_MODE = json MAX_TIMESTAMP_LOOKAHEAD = 200 NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%d %H:%M:%S TIME_PREFIX = *ts;\s TZ = UTC category = Custom pulldown_type = true SHOULD_LINEMERGE = true disabled = false BREAK_ONLY_BEFORE = ([r\n])This file includes a custom source type that allows the VIP Report Streaming Service to import data and displays the correct timestamp to match the Symantec timestamp (the default is UTC – 0).
- Copy theprops.conffile to theC:\Program Files\Splunk\etc\apps\search\localdirectory.
- Using a standard text editor, modify theC:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf. Add the following lines:Monitor://<path_to_event_log_dir>\event.log disabled = 0 host = <host_name> index = <index_name> sourcetype = <source_type>Where:
- <path_to_event_log_dir>is the path to the event logs directory (event_log_dir) you set when you configured theVIP Report Streaming Service reference client.
- <host_name>is the host name of the computer that is running the VIP Report Streaming Service reference client.
- <index_name>is the name of your Splunk Cloud index.
- <source_type>is the custom source type you created in theprops.conf. Entervip_apifor this value.
For example:[monitor://C:\StreamingReferenceClient\logs\event.log] disabled = 0 host = myhostname index = vip_api sourcetype = vip_api - As an administrator, run the following command at a command line:splunk.exe install app <path to\splunkclouduf.spl>Where<path to\splunkclouduf.spl>is the location where you downloaded the Splunk Universal Forwarder.
- When prompted, enter the administrator name and credentials that you used when you installed the Splunk Universal Forwarder. A message states that the app was installed.
- As an administrator, enterServices.mscin a command line.
- Navigate tosplunkservice and restart it.The VIP Report Streaming Service reference client should begin populating logs in the Splunk Cloud index .
