Splunk Enterprise Security

crcSalt is not working with multiple sub dir contains same file name monitoring

vemurisurya
Path Finder

Hi, Am writing a monitoring stanza to on-board the files with same name but different sub-directory named using following monitoring stanzas , but any time am getting only one host data other one is not coming in any more, host_segment = 4.

my directory structure

/var/syslog/Pal/H2-Panorama/file<date>.log
/var/syslog/Pal/H1-PA5220-02.PGR.com/file<date>.log
/var/syslog/Pal/H2-PA5220-01.PGR.com/file<date>.log
/var/syslog/Pal/H1-PA5220.PGR.com/file<date>.log
/var/syslog/Pal/H1-Pano.PGR.com/file<date>.log

inputs.conf

 [monitor:///var/syslog/Pal/.../*.log]
 blacklist = \.gz|\.tgz index=pan
 host_segment = 4 ignoreOlderThan = 1d
 disabled = 0 crcSalt = <string>

Props.conf

[source::...Pal...]
TRANSFORMS-assignSourcetype = pan_system, pan_traffic

TRANSFORMS.conf

[ pan_traffic ]
REGEX =^[^\,]+\,[^\,]+\,[^\,]+\,TRAFFIC\,..*
FORMAT = sourcetype::pan:traffic
DEST_KEY = MetaData:Sourcetype 
0 Karma

skalliger
SplunkTrust
SplunkTrust

If you're setting crcSalt = <string> you might want to use crcSalt = <SOURCE> instead. You just copied it from the spec file. 🙂

Skalli

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...