crcSalt is not working with multiple sub dir con...

vemurisurya · ‎07-02-2019

Hi, Am writing a monitoring stanza to on-board the files with same name but different sub-directory named using following monitoring stanzas , but any time am getting only one host data other one is not coming in any more, host_segment = 4.

my directory structure

/var/syslog/Pal/H2-Panorama/file<date>.log
/var/syslog/Pal/H1-PA5220-02.PGR.com/file<date>.log
/var/syslog/Pal/H2-PA5220-01.PGR.com/file<date>.log
/var/syslog/Pal/H1-PA5220.PGR.com/file<date>.log
/var/syslog/Pal/H1-Pano.PGR.com/file<date>.log

inputs.conf

 [monitor:///var/syslog/Pal/.../*.log]
 blacklist = \.gz|\.tgz index=pan
 host_segment = 4 ignoreOlderThan = 1d
 disabled = 0 crcSalt = <string>

Props.conf

[source::...Pal...]
TRANSFORMS-assignSourcetype = pan_system, pan_traffic

TRANSFORMS.conf

[ pan_traffic ]
REGEX =^[^\,]+\,[^\,]+\,[^\,]+\,TRAFFIC\,..*
FORMAT = sourcetype::pan:traffic
DEST_KEY = MetaData:Sourcetype

skalliger · ‎07-02-2019

If you're setting crcSalt = <string> you might want to use crcSalt = <SOURCE> instead. You just copied it from the spec file. 🙂

Skalli

crcSalt is not working with multiple sub dir contains same file name monitoring

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation