Feed Purview data into Splunk
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-31-2014 02:56 AM
I've found the white paper on integrating Splunk with Purview, and it looks great, but I can't find any technical detail on how to get the data from Purview into Splunk. What's the process for bringing the data across?
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-16-2014 07:46 PM
You should change the the metadata separator to something different than newline, e.g. a space with metadataDelimiter=" ", otherwise splunk will interpret the metadata lines as new events. Adding the line to the syslog config should be all you need. Afte changing appidconfig.conf you should restart purview with appidctl restart. I don't remember if you need to restart syslog after changing the rsyslog.d, if you changes are not immediately applied try restarting the syslog daemon (probably with service rsyslog restart, I don't remember either, I usually reboot the whole appliance but a service restart should suffice)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-16-2014 07:46 PM
Hi Salvador, thanks for the info. I've just had a look in appidconfig.xml, and there's actually two lines:
Should I uncomment the splunk one then add the line to rsyslog.d?
Should I uncomment the splunk one then add the line to rsyslog.d?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-16-2014 05:34 PM
Hi James, I am getting this answered for you so I apologize for the delay.