cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
MediumToast
Engager
Member since: ‎07-29-2024
‎08-01-2024
Community Statistics
Posts 2
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎07-29-2024
Activity Feed
View All

Re: Overriding indexes of sources in SC4S

by in Getting Data In
‎07-31-2024 10:33 PM
‎07-31-2024 10:33 PM
Thanks for the response. Maciek Stopa on the Splunk Slack workspace provided this novel code that has worked well. This doesn't handled the metrics and sc4s events but I handled those in splunk_metadata.csv. # cp example_postfiler.conf /opt/sc4s/local/config/app_parsers/ # systemctl restart sc4s block parser app-dest-rewrite-index() { channel { rewrite { r_set_splunk_dest_update_v2( index("${.splunk.index}_unique-suffix") ); }; }; }; application app-dest-rewrite-index[sc4s-postfilter] { parser { app-dest-rewrite-index(); }; };     ... View more

Overriding indexes of sources in SC4S

by in Getting Data In
‎07-29-2024 02:15 AM
‎07-29-2024 02:15 AM
Hi, Apologies if I'm using the wrong terminology here. I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewall by default it'll end up in the 'netfw' index. Instead, I want all events that would have gone to 'netfw' to go to, for example, 'site1_netfw'. I attempted to do this using the splunk_metadata.csv file but I now understand I've misinterpreted the documentation. I had used 'netfw,index,site1_netfw' but if I understand correctly, I'd actually need to have a seperate line for each key such as 'cisco_asa,index,site1_netfw'. Is that correct? Is there a way to accomplish what I want without listing each source key? Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-01-2024 12:26 PM