Closed nickramser closed 5 months ago
Hi @nickramser we will need to check why this fix was removed from SC4S and if it's safe to restore it, we will try to find a slot for it in the next sprint
@nickramser regardless restoring that solution a postfilter will work for you:
block parser app-postfilter-host() {
channel {
rewrite{
set("new_host", value("HOST"));
};
};
};
application app-postfilter-host[sc4s-postfilter] {
filter {
host('test_host' type(string));
};
parser { app-postfilter-host(); };
};
@nickramser I confirmed with the team that limiting functionality of compliance_meta_by_source.csv
was a long-term decision and that way of overriding the host won't be restored. Please try the postfilter and let me know if we can close the issue
@mstopa-splunk, thanks for the quick responses. I just tested the postfilter and it's working as expected. I'll go ahead on close out the issue.
What is the sc4s version ? v3.22.1
Feature Request description: We have a device which is sending a
host
value in syslog message, but it's hardcoded and based off the device serial number. I'd like to override it, but since there is ahost
value supplied in the message, it doesn't appear thatSC4S_USE_REVERSE_DNS
or the host.csv would be checked.Issues #572/#575 indicate that you can use
.splunk.host
within compliance_meta_by_source.csv, but that is not working for me and it doesn't appear in the compliance_meta_by_source documentation as an option.So, is there currently a way to override a host when a host value is supplied by the source? If not, could
.splunk.host
be added back in as a valid metadata override value?