Closed imsidr closed 2 months ago
@imsidr Please create support ticket and upload pcap please.
Support ticket #3565936
From: Rahul Jha @.> Sent: Tuesday, September 10, 2024 7:50 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] sources for infoblox logs are coming up as program:$program (Issue #2576)
@imsidrhttps://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!uwqD34LW1KEXaz-VaEM6mRnKuY9osNeiQvjyMPwIeAAfHSLQvhNg7CbRuys1iBTZn1UNhPlsjfSvMBXcMRHafgKTyfG8dduPXg$ Please create support ticket and upload pcap please.
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2576*issuecomment-2340970964__;Iw!!JJ-tOIoKdBzLSfV5jA!uwqD34LW1KEXaz-VaEM6mRnKuY9osNeiQvjyMPwIeAAfHSLQvhNg7CbRuys1iBTZn1UNhPlsjfSvMBXcMRHafgKTyfH5BuOe8Q$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJXYG7RXSVQHBDQCR4B3ZV352NAVCNFSM6AAAAABN637OZGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBQHE3TAOJWGQ__;!!JJ-tOIoKdBzLSfV5jA!uwqD34LW1KEXaz-VaEM6mRnKuY9osNeiQvjyMPwIeAAfHSLQvhNg7CbRuys1iBTZn1UNhPlsjfSvMBXcMRHafgKTyfEBtXFqOg$. You are receiving this because you were mentioned.Message ID: @.**@.>>
The feature for this request is now released.
User can set the source field value to 'sc4s' by using the `SC4S_SET_SOURCE_AS_SC4S` variable.
**Note:** If the source field value is specified in a local parser or the splunk_metadata.csv file, it will take precedence over the `SC4S_SET_SOURCE_AS_SC4S` variable and overwrite the source field value.
| Variable | Values | Description |
|----------|---------------|-------------|
| SC4S_SET_SOURCE_AS_SC4S | yes or no(default) | Set the source field value to 'sc4s'. |
Hence closing this ticket.
Was the issue replicated by support?
What is the sc4s version ? 3.27.0
Which operating system (including its version) are you using for hosting SC4S? ubuntu
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? yes on request
Is the issue related to the environment of the customer or Software related issue? software related
Is it related to Data loss, please explain ? - No Protocol? Hardware specs?
Last chance index/Fallback index? sc4s
Is the issue related to local customization? NA
Do we have all the default indexes created? yes
Describe the bug all sources for infoblox logs are coming as program:$program & there are two names for the vendor (infoblox & Infoblox)
To Reproduce Steps to reproduce the behavior: