You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Was the issue replicated by support?
no What is the sc4s version ?
3.3 latest Which operating system (including its version) are you using for hosting SC4S?
docker container in ubuntu vm Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S?
docker Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
Is the issue related to the environment of the customer or Software related issue?
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
Last chance index/Fallback index?
Is the issue related to local customization?
Do we have all the default indexes created?
Describe the bug
I have setup the env_file and followed the documentation but the variables are not working -
here is the env_file i took out the details but the token works i will show curl command
root@ipz003-prod-splunk01:/opt/sc4s# cat env_file
SC4S_CONTAINER_HOST=
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=
SC4S_DEST_SPLUNK_HEC_DEFAULT_INDEX=sddc_internal
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=yes
SC4S_DEST_SPLUNK_HEC_DEFAULT_DISKBUFF_ENABLE=yes
SC4S_DEBUG=true
Splunk dc864f86-9a3d-42be-8a09-131967028fd5" -d '{"event": "Test event", "sourcetype": "nix:syslog", "index": "sddc_internal"}'
{"text":"Success","code":0}root@ipz003-prod-splunk01:/opt/sc4s# docker logs -f SC4S
{"text":"Incorrect index","code":7,"invalid-event-number":1}
SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback
Startup will continue to prevent data loss if this is a transient failure.
See error
I have tried variable attempts and the variables are in the container
root@ipz003-prod-splunk01:/opt/sc4s# docker exec -it SC4S env | grep SC4S
SC4S_CONTAINER_HOST=ipz003-prod-splunk01
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=
SC4S_DEST_SPLUNK_HEC_DEFAULT_INDEX=sddc_internal
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=yes
SC4S_DEST_SPLUNK_HEC_DEFAULT_DISKBUFF_ENABLE=yes
SC4S_DEBUG=true
SC4S_CONTAINER_OPTS=--no-caps
but they are not being picked up
The text was updated successfully, but these errors were encountered:
the issue was the splunk_metadata.csv file i need to use a splunk prefix splunk_sc4s_fallback,index,sddc_internal
splunk_sc4s_events,index,sddc_internal
splunk_sc4s_metrics,index,sddc_internal
that was not clear i figured it out in the formuns. Thanks
the issue was the splunk_metadata.csv file i need to use a splunk prefix splunk_sc4s_fallback,index,sddc_internal splunk_sc4s_events,index,sddc_internal splunk_sc4s_metrics,index,sddc_internal that was not clear i figured it out in the formuns. Thanks
Ok, I'm glad it's working now! I'm closing the issue in this case.
I saw nothing in the portal
Was the issue replicated by support?
no
What is the sc4s version ?
3.3 latest
Which operating system (including its version) are you using for hosting SC4S?
docker container in ubuntu vm
Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S?
docker
Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
Is the issue related to the environment of the customer or Software related issue?
Is it related to Data loss, please explain ?
Protocol? Hardware specs?
Last chance index/Fallback index?
Is the issue related to local customization?
Do we have all the default indexes created?
Describe the bug
I have setup the env_file and followed the documentation but the variables are not working -
here is the env_file i took out the details but the token works i will show curl command
root@ipz003-prod-splunk01:/opt/sc4s# cat env_file
SC4S_CONTAINER_HOST=
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=
SC4S_DEST_SPLUNK_HEC_DEFAULT_INDEX=sddc_internal
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=yes
SC4S_DEST_SPLUNK_HEC_DEFAULT_DISKBUFF_ENABLE=yes
SC4S_DEBUG=true
/lib/systemd/system/sc4s.service
Run SC4S with the mapped variables
ExecStart=/usr/bin/docker run
-v splunk-sc4s-var:/var/lib/syslog-ng
-v /opt/sc4s/local:/etc/syslog-ng/conf.d/local
-v /opt/sc4s/archive:/var/lib/syslog-ng/archive
-v /opt/sc4s/tls:/etc/syslog-ng/tls
--env-file=/opt/sc4s/env_file
--network host
--name SC4S
--rm $SC4S_IMAGE
curl -k https://rb-itoa-splunk-idx29.rbesz01.com:3001/services/collector/event -H "Authorization: Splunk xxx-131967028fd5" -d '{"event": "Test event", "sourcetype": "nix:syslog", "index": "sddc_internal"}'
{"text":"Success","code"
Splunk dc864f86-9a3d-42be-8a09-131967028fd5" -d '{"event": "Test event", "sourcetype": "nix:syslog", "index": "sddc_internal"}'
{"text":"Success","code":0}root@ipz003-prod-splunk01:/opt/sc4s# docker logs -f SC4S
{"text":"Incorrect index","code":7,"invalid-event-number":1}
SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback
Startup will continue to prevent data loss if this is a transient failure.
syslog-ng checking config
sc4s version=3.31.0
starting goss
starting syslog-ng
To Reproduce
Steps to reproduce the behavior:
I have tried variable attempts and the variables are in the container
root@ipz003-prod-splunk01:/opt/sc4s# docker exec -it SC4S env | grep SC4S
SC4S_CONTAINER_HOST=ipz003-prod-splunk01
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=
SC4S_DEST_SPLUNK_HEC_DEFAULT_INDEX=sddc_internal
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=yes
SC4S_DEST_SPLUNK_HEC_DEFAULT_DISKBUFF_ENABLE=yes
SC4S_DEBUG=true
SC4S_CONTAINER_OPTS=--no-caps
but they are not being picked up
The text was updated successfully, but these errors were encountered: