splunk / splunk-connect-for-syslog

Splunk Connect for Syslog
Apache License 2.0
154 stars 111 forks source link

sources for infoblox logs are coming up as program:$program #2576

Closed imsidr closed 2 months ago

imsidr commented 2 months ago

Was the issue replicated by support?

What is the sc4s version ? 3.27.0

Which operating system (including its version) are you using for hosting SC4S? ubuntu

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? yes on request

Is the issue related to the environment of the customer or Software related issue? software related

Is it related to Data loss, please explain ? - No Protocol? Hardware specs?

Last chance index/Fallback index? sc4s

Is the issue related to local customization? NA

Do we have all the default indexes created? yes

Describe the bug all sources for infoblox logs are coming as program:$program & there are two names for the vendor (infoblox & Infoblox)

To Reproduce Steps to reproduce the behavior:

  1. Go to '...' splunk SH cluster
  2. Click on '....' query index=infoblox sc4s_loghost=*
  3. Scroll down to '....'
  4. See error
rjha-splunk commented 2 months ago

@imsidr Please create support ticket and upload pcap please.

imsidr commented 2 months ago

Support ticket #3565936

From: Rahul Jha @.> Sent: Tuesday, September 10, 2024 7:50 PM To: splunk/splunk-connect-for-syslog @.> Cc: Rai, Siddhartha @.>; Mention @.> Subject: Re: [splunk/splunk-connect-for-syslog] sources for infoblox logs are coming up as program:$program (Issue #2576)

@imsidrhttps://urldefense.com/v3/__https:/github.com/imsidr__;!!JJ-tOIoKdBzLSfV5jA!uwqD34LW1KEXaz-VaEM6mRnKuY9osNeiQvjyMPwIeAAfHSLQvhNg7CbRuys1iBTZn1UNhPlsjfSvMBXcMRHafgKTyfG8dduPXg$ Please create support ticket and upload pcap please.

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/splunk/splunk-connect-for-syslog/issues/2576*issuecomment-2340970964__;Iw!!JJ-tOIoKdBzLSfV5jA!uwqD34LW1KEXaz-VaEM6mRnKuY9osNeiQvjyMPwIeAAfHSLQvhNg7CbRuys1iBTZn1UNhPlsjfSvMBXcMRHafgKTyfH5BuOe8Q$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/BETPJXYG7RXSVQHBDQCR4B3ZV352NAVCNFSM6AAAAABN637OZGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBQHE3TAOJWGQ__;!!JJ-tOIoKdBzLSfV5jA!uwqD34LW1KEXaz-VaEM6mRnKuY9osNeiQvjyMPwIeAAfHSLQvhNg7CbRuys1iBTZn1UNhPlsjfSvMBXcMRHafgKTyfEBtXFqOg$. You are receiving this because you were mentioned.Message ID: @.**@.>>

cwadhwani-splunk commented 2 months ago

The feature for this request is now released.

User can set the source field value to 'sc4s' by using the `SC4S_SET_SOURCE_AS_SC4S` variable.

**Note:** If the source field value is specified in a local parser or the splunk_metadata.csv file, it will take precedence over the `SC4S_SET_SOURCE_AS_SC4S` variable and overwrite the source field value.

| Variable | Values        | Description |
|----------|---------------|-------------|
| SC4S_SET_SOURCE_AS_SC4S | yes or no(default) | Set the source field value to 'sc4s'. |

Hence closing this ticket.