inflobox threat protect logs are not parsing host field correctly #2523
Assignees
Comments
|
support Case [3521345]created |
|
Update : Support is working on it. |
|
@rjha-splunk its been three weeks i have not heard any response on this .. do we have any update ? |
|
Today support escalated it to us,, we will check and update the status. |
|
The fix is provided by Support( we worked on it ). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Was the issue replicated by support? yes
What is the sc4s version ? 3.19.0
Which operating system (including its version) are you using for hosting SC4S? docker container
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
Is the issue related to the environment of the customer or Software related issue? Not Sure
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
Last chance index/Fallback index? sc4s index
Is the issue related to local customization? Not sure
Do we have all the default indexes created? NA
Describe the bug
host field is showing as adp
applied parser provided in https://github.com/splunk/splunk-connect-for-syslog/issues/2459 which now stand deleted because we had sensitive data posted over that
sharing the parser below -
block parser app-dest-new-cef() {
channel {
parser {
add-contextual-data(
selector("${SOURCEIP}"),
database("conf.d/local/context/host.csv")
);
};
};
};
application app-dest-new-cef[sc4s-finalfilter] {
filter {
tags(".source.s_INFOBLOX_NIOS_THREAT");
};
parser {
app-dest-new-cef();
};
};
The text was updated successfully, but these errors were encountered: