cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jomon_ng
Observer
Member since: ‎06-08-2022
‎06-24-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-08-2022
View All

SC4S: version 2 filter events not working

by in Splunk Search
‎06-20-2022 10:18 PM
‎06-20-2022 10:18 PM
Hi, I tried to filter events on version 2.30.0 based on v1.110.0 configuration, but it failed to dropped events in version 2. I also have read the document but somehow it still not working. maybe something that I miss out. kindly advise SC4S V1.110.0 $ cat vendor_product_by_source.csv f_null_queue,sc4s_vendor_product,"null_queue" $ cat vendor_product_by_source.conf filter f_null_queue { host(10.14.1.98) or host(10.14.1.99) or host("uk-test-intfw*" type(glob)) }; Result: Events from above host has been dropped and didn’t see it show in Splunk SC4S v2.30.0 $ cat vendor_product_by_source.csv f_null_queue,sc4s_vendor_product,"null_queue" $ cat vendor_product_by_source.conf filter f_null_queue { host(10.14.1.98) or host(10.14.1.99) or host("uk-test-intfw*" type(glob)) }; Result: With the same statement as V1, events still continues flow into Splunk without filter. I have follow the document and make changed as below $ cat vendor_product_by_source.csv f_cisco_asa,sc4s_vendor_product,cisco_asa f_fortinet_fortios,sc4s_vendor_product,fortinet_fortios $ cat vendor_product_by_source.conf filter f_cisco_asa { host(10.14.1.98) or host(10.14.1.99) }; filter f_fortinet_fortios { host(uk-test-intfw*" type(glob)) }; ... View more
Labels

SC4S Debug mode directories / Why is function miss...

by in Getting Data In
‎06-08-2022 12:26 AM
‎06-08-2022 12:26 AM
we have added below line in the env_file, so that events will be catpured and ease to identifier the sourcetype. SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug In version version 1.110.0, we could see all the incoming sourcetype on it as below $ ls cisco_asa fortinet_fortios nix_syslog sc4s_events sc4s_fallback vmware_esx zscaler_web But in version 2.0 till 2.28.0, we failed to see any sourcetype listed on it with same configuration in above,  the "debug" folder is not create even after restart the sever [DEV][archive] $ ls [DEV][archive] $ pwd /apps/sc4s/archive Any hints what the change in between the version 1 and version 2 that possible caused the debug mode failed? (events are showing in Splunk) *we just do in place upgrade from version 1 to version 2 on same working servers. IF we moved back to version 1, the debug directories will showed agai ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-24-2022 12:05 AM