-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Different metadata values for every destination #2605
Comments
Filter on additional destination is something that can be used. Reference Here is what you will have to do. Create a new file with file path: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-cisco_dest_fmt_other.conf
Restart the sc4s service after making these changes. With these changes we are only sending the logs that has vendor as 'cisco' to the OTHER destination and we are changing its index to a hardcoded value 'netfw_new'. The filter can be changed based on your need. |
I managed to make the filtered destination work, finally! I have one last problem, though: Apparently, the settings in splunk_metadata.csv overlap with those in the filter. When I leave the file empty, the filtered destination has the right value for index, but the default destination sends to lastchanceindex. With a populated splunk_metadata.csv and the selector filter in place, the opposite thing happens. How can I circumvent this? |
Could you please send me the splunk_metadatacsv file, the filters used (you can also send the whole folder /opt/sc4s/local) and a sample log that you are using to test this over my email address [email protected]. |
Done, thanks! I've double-checked the overlapping and I am confident it occurs as I described. |
Hi, did you receive my email? Do you have any updates as per this ticket? |
hi it is added to the sprint, we will post the update soon. |
I have to send data from my SC4S instance to a different Splunk Cloud deployment altoguether. The index names in this alternate destination differ from the ones I'm currently using. How can I modify the metadata that I send to the alternate destination so that the index names match without disturbing the metadata I send to my own Splunk Cloud deployment?
The text was updated successfully, but these errors were encountered: