splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
152 stars 108 forks source link

Unable to redirect SC4S:probe sourcetype in splunk_metadata.csv #1261

Closed ghost closed 2 years ago

ghost commented 3 years ago

The SC4S start-up HEC test outputs are sent to the sourcetype 'SC4S:probe' which by default goes to the main index.

The re-routing option to add the source key to splunk_metadata.csv, for example 'sc4s_probe,index,sectools' did not work, with the events just disappearing.

rjha-splunk commented 2 years ago

cc: @mateuszpierzchala-splunk The issue should be fixed now , Please be careful for following things:

  1. use the keys explained.
  2. Check if the index exist where you are redirecting the data.
  3. Token ( HEC) have access to all the indexes.
  4. Lastchance index is created and configured.
geoffmartin commented 6 months ago

i've been trying to redirect the probe log without success. I'm using "splunk_sc4s_probe,index,sc4s_logs" and a bunch of other things but it's not quite working. I'm using brand new v3.23.0 released just yesterday. What am I doing wrong?