Splunk Enterprise Security

crcSalt is not working with multiple sub dir contains same file name monitoring

Path Finder

Hi, Am writing a monitoring stanza to on-board the files with same name but different sub-directory named using following monitoring stanzas , but any time am getting only one host data other one is not coming in any more, host_segment = 4.

my directory structure

/var/syslog/Pal/H2-Panorama/file<date>.log
/var/syslog/Pal/H1-PA5220-02.PGR.com/file<date>.log
/var/syslog/Pal/H2-PA5220-01.PGR.com/file<date>.log
/var/syslog/Pal/H1-PA5220.PGR.com/file<date>.log
/var/syslog/Pal/H1-Pano.PGR.com/file<date>.log

inputs.conf

 [monitor:///var/syslog/Pal/.../*.log]
 blacklist = \.gz|\.tgz index=pan
 host_segment = 4 ignoreOlderThan = 1d
 disabled = 0 crcSalt = <string>

Props.conf

[source::...Pal...]
TRANSFORMS-assignSourcetype = pan_system, pan_traffic

TRANSFORMS.conf

[ pan_traffic ]
REGEX =^[^\,]+\,[^\,]+\,[^\,]+\,TRAFFIC\,..*
FORMAT = sourcetype::pan:traffic
DEST_KEY = MetaData:Sourcetype 
0 Karma

SplunkTrust
SplunkTrust

If you're setting crcSalt = <string> you might want to use crcSalt = <SOURCE> instead. You just copied it from the spec file. 🙂

Skalli

0 Karma