Skip to content

Commit

Permalink
feat: Added an env variable to set source as 'sc4s' (#2581)
Browse files Browse the repository at this point in the history
* feat: Added a env variable to provide provision of hardcoding source to 'sc4s'

* docs: Updated documentation with the details of the newly introduced variable.
  • Loading branch information
cwadhwani-splunk authored Sep 24, 2024
1 parent 207fc13 commit 76c980c
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 0 deletions.
10 changes: 10 additions & 0 deletions docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,16 @@ A syntax error will cause the runtime process to abort in the "preflight" phase

To update your changes, restart SC4S.

### Set source value as 'sc4s'

User can set the source field value to 'sc4s' by using the `SC4S_SET_SOURCE_AS_SC4S` variable.

**Note:** If the source field value is specified in a local parser or the splunk_metadata.csv file, it will take precedence over the `SC4S_SET_SOURCE_AS_SC4S` variable and overwrite the source field value.

| Variable | Values | Description |
|----------|---------------|-------------|
| SC4S_SET_SOURCE_AS_SC4S | yes or no(default) | Set the source field value to 'sc4s'. |

## Drop all data by IP or subnet (deprecated)

Using `vendor_product_by_source` to null queue is now a deprecated task. See the supported method for dropping data in [Filtering events from output](https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-events-from-output).
Expand Down
11 changes: 11 additions & 0 deletions package/etc/conf.d/sources/source_syslog/plugin.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,11 @@ source s_{{ port_id }} {
};
};

{%- if set_source_sc4s == True %}
rewrite {
set("sc4s", value(".splunk.source"));
};
{%- endif %}

rewrite {
set($FACILITY, value("fields.sc4s_syslog_facility") condition(match('facility' template('`SC4S_DEST_SPLUNK_INDEXED_FIELDS`') type(string) flags(substring))));
Expand Down Expand Up @@ -475,6 +480,12 @@ source s_{{ port_id }} {
parser(app-group-sc4s-fallback);
};

{%- if set_source_sc4s == True %}
rewrite {
set("sc4s", value(".splunk.source"));
};
{%- endif %}

rewrite {
set($FACILITY, value("fields.sc4s_syslog_facility") condition(match('facility' template('`SC4S_DEST_SPLUNK_INDEXED_FIELDS`') type(string) flags(substring))));
set($LEVEL, value("fields.sc4s_syslog_severity") condition(match('severity' template('`SC4S_DEST_SPLUNK_INDEXED_FIELDS`') type(string) flags(substring)) ));
Expand Down
1 change: 1 addition & 0 deletions package/etc/conf.d/sources/source_syslog/plugin.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,5 +133,6 @@ def normalize_env_variable_input(env_variable: str):
ebpf_no_sockets=int(os.getenv("SC4S_EBPF_NO_SOCKETS", 4)),
enable_parallelize=normalize_env_variable_input(f"SC4S_ENABLE_PARALLELIZE"),
parallelize_no_partitions=int(os.getenv(f"SC4S_PARALLELIZE_NO_PARTITION", 4)),
set_source_sc4s=normalize_env_variable_input("SC4S_SET_SOURCE_AS_SC4S"),
)
print(outputText)

0 comments on commit 76c980c

Please sign in to comment.