Skip to content

Commit

Permalink
change sc4s_log_host to sc4s_loghost
Browse files Browse the repository at this point in the history
  • Loading branch information
rfaircloth-splunk committed May 8, 2020
1 parent 832da7a commit 0e9e17c
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion docs/troubleshooting.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ don't expect, check to see that the index is created in Splunk, or that a `lastC
cause for almost _all_ `400` errors.
* If you continue to the individual log entries in these directories, you will see entries of the form
```bash
curl -k -u "sc4s HEC debug:a778f63a-5dff-4e3c-a72c-a03183659e94" "https://splunk.smg.aws:8088/services/collector/event" -d '{"time":"1584556114.271","sourcetype":"sc4s:events","source":"SC4S:s_internal","index":"main","host":"e3563b0ea5d8","fields":{"sc4s_syslog_severity":"notice","sc4s_syslog_facility":"syslog","sc4s_log_host":"e3563b0ea5d8","sc4s_fromhostip":"127.0.0.1"},"event":"syslog-ng starting up; version='3.26.1'"}'
curl -k -u "sc4s HEC debug:a778f63a-5dff-4e3c-a72c-a03183659e94" "https://splunk.smg.aws:8088/services/collector/event" -d '{"time":"1584556114.271","sourcetype":"sc4s:events","source":"SC4S:s_internal","index":"main","host":"e3563b0ea5d8","fields":{"sc4s_syslog_severity":"notice","sc4s_syslog_facility":"syslog","sc4s_loghost":"e3563b0ea5d8","sc4s_fromhostip":"127.0.0.1"},"event":"syslog-ng starting up; version='3.26.1'"}'
```
* These commands, with minimal modifications (e.g. multiple URLs specified or elements that needs shell escapes) can be run directly on the
command line to determine what, exactly, the HEC endpoint is returning. This can be used to refine th index or other parameter to correct the
Expand Down
2 changes: 1 addition & 1 deletion package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ rewrite r_set_splunk_default {
{{- end}}
{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "log_host" }}
{{- if (getenv "SC4S_CONTAINER_HOST") }}
set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host"));
set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost"));
{{- end}}
{{- end}}
{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,log_host,dport,fromhostip,proto") ",") has "container" }}
Expand Down

0 comments on commit 0e9e17c

Please sign in to comment.