Configure inputs
Although Juniper supports both syslog and key-value output, the Splunk Add-on for Juniper only supports syslog. See Configure your Juniper device to send data to the Splunk Add-on for Juniper.
Configure inputs using Splunk Connect for Syslog
Splunk recommends that you use Splunk Connect for Syslog (SC4S) to collect data. To collect data using SC4S, refer to the steps described in https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Juniper/junos/.
Configure inputs for the Splunk Add-on for Juniper
The Splunk Add-on for Juniper handles inputs through UDP. Match the input configuration in your Splunk platform's data collection node to the port that you configured in your Juniper configuration file. If you have not yet done this, see Configure your Juniper device to send data to the Splunk Add-on for Juniper.
In the Splunk platform node handling data collection, configure the UDP input to match your configurations in Juniper, and set your source type to juniper. The CIM mapping and dashboard panels depend on the juniper source type.
See Get data from TCP and UDP ports in Getting Data In manual for how to configure a Splunk forwarder or single-instance to receive syslog input.
Once you have configured the input, run the following search to check that you are ingesting the data that you expect:
sourcetype = juniper*
If you are bringing in data from Juniper NetScreen Firewall, run the following search:
sourcetype = netscreen:firewall
| Configure your Juniper device to send data to the Splunk Add-on for Juniper | Troubleshoot the Splunk Add-on for Juniper |
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released
Download manual
Feedback submitted, thanks!