This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Feed Purview data into Splunk

Feed Purview data into Splunk

James_A
Valued Contributor

‎03-31-2014 02:56 AM

I've found the white paper on integrating Splunk with Purview, and it looks great, but I can't find any technical detail on how to get the data from Purview into Splunk. What's the process for bringing the data across?
0 Kudos
12 REPLIES 12

Ferrer__Salvado
New Contributor
In response to Ferrer__Salvado

‎04-16-2014 07:46 PM

You should change the the metadata separator to something different than newline, e.g. a space with metadataDelimiter=" ", otherwise splunk will interpret the metadata lines as new events. Adding the line to the syslog config should be all you need. Afte changing appidconfig.conf you should restart purview with appidctl restart. I don't remember if you need to restart syslog after changing the rsyslog.d, if you changes are not immediately applied try restarting the syslog daemon (probably with service rsyslog restart, I don't remember either, I usually reboot the whole appliance but a service restart should suffice)
0 Kudos

James_A
Valued Contributor
In response to Ferrer__Salvado

‎04-16-2014 07:46 PM

Hi Salvador, thanks for the info. I've just had a look in appidconfig.xml, and there's actually two lines:




Should I uncomment the splunk one then add the line to rsyslog.d?
0 Kudos

Tamera_Rousseau
New Contributor

‎04-16-2014 05:34 PM

Hi James, I am getting this answered for you so I apologize for the delay.
0 Kudos
GTM-P2G8KFN