To create a new ‘Rule' select the '+ Create New Rule’ button on the Log Receiver dashboard, and assign it a logical name.

It is recommended that you create a naming convention for your log receiver components, ie. Rule, Source, Filter and Destination naming

Decide on how you want log rotation to operate on each data source.

Selecting a specific Splunk sourcetype and index will help with Splunk’s data input procedure. It is essential that the Index or Indexes described here have been created on the local Splunk instance which will become a Heavy Forwarder feeding these logs into your Splunk Indexers.

Indexes can be created easily by opening the Settings / Indexes menu from the local Splunk instance.

The ‘Monitor in Splunk' feature shown here will only be visible if Splunk has been Activated on this Appliance/Instance.
This option will allow the setting of a Sourcetype and Index used to create a ‘monitored input’ in the /etc/system/local/inputs.conf file
**IMPORTANT: It is crucial that any Index specified here has been created at the Splunk Instance of this Appliance/Instance. This Index will also need to be present at all your Production Indexers before forwarding is enabled.

Select the ‘Save’ button to move onto the ‘Source’ setup

If at any time you need to edit or delete a Rule, use the vertical ellipsis menu located adjacent to each Rule.