Troubleshoot the Splunk Add-on for Imperva SecureSphere WAF
General troubleshooting
For helpful troubleshooting tips that you can apply to all add-ons, see "Troubleshoot add-ons" in Splunk Add-ons. For additional resources, see "Support and resource links for add-ons" in Splunk Add-ons.
Data ingestion problems
Verify that you have configured the input correctly by confirming that:
- you have configured the correct IP address of the Splunk platform node responsible for data collection in your Imperva SecureSphere WAF configuration.
- the port that you configured in your Imperva SecureSphere WAF configuration matches the port you configured in your syslog input configuration.
- the port that you are using for this input does not conflict with any other inputs.
- your syslog input is configured to set the source type to
imperva:waf
. - you are searching the correct index. By default, this add-on uses the
main
index.
Field extraction does not work for multi-line events
Imperva uses macros and placeholders for sending events to Splunk. These macros and placeholders replace all the newlines in the add-on with \n
.
To resolve this issue, use the #cefEscapeExtension(${placeholder})
macro on the Imperva side of your configuration.
Reference: https://docs.imperva.com/bundle/v13.6-file-security-user-guide/page/3681.htm
Lookups for the Splunk Add-on for Imperva SecureSphere WAF | Release notes for the Splunk Add-on for Imperva SecureSphere WAF |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!