Different metadata values for every destination

[rucete]

SC4S version: 3.31.0
Host OS: Ubuntu 22.04.4 LTS (Jammy Jellyfish)
Runtime: Docker + systemd

I have to send data from my SC4S instance to a different Splunk Cloud deployment altoguether. The index names in this alternate destination differ from the ones I'm currently using. How can I modify the metadata that I send to the alternate destination so that the index names match without disturbing the metadata I send to my own Splunk Cloud deployment?

[cwadhwani-splunk]

Filter on additional destination is something that can be used. Reference
This allows to filter the logs for the second destination, but you can add a few lines to update the metadata for just the second destination.

Here is what you will have to do.
In env_file add the second destination with the below configs:
SC4S_DEST_SPLUNK_HEC_OTHER_URL=https://splunk:8088
SC4S_DEST_SPLUNK_HEC_OTHER_TOKEN=${SPLUNK_HEC_TOKEN}
SC4S_DEST_SPLUNK_HEC_OTHER_TLS_VERIFY=no
SC4S_DEST_SPLUNK_HEC_OTHER_MODE=SELECT

Create a new file with file path: /opt/sc4s/local/config/app_parsers/selectors/sc4s-lp-cisco_dest_fmt_other.conf

block parser my_parser() {
 channel {
        rewrite {
            r_set_splunk_dest_default(
                index('netfw_new')
            );
        };
   };
};
application sc4s-lp-cisco_dest_fmt_other[sc4s-lp-dest-select-d_hec_fmt_other] {
    filter {
        'cisco' eq "${fields.sc4s_vendor}";
    };
    parser { my_parser(); };
};

Restart the sc4s service after making these changes.
Note: index("${.splunk.index}_<somestring>") can also be used to update the index, if you want to append '_' after the index.

With these changes we are only sending the logs that has vendor as 'cisco' to the OTHER destination and we are changing its index to a hardcoded value 'netfw_new'. The filter can be changed based on your need.

[rucete]

I managed to make the filtered destination work, finally! I have one last problem, though:

Apparently, the settings in splunk_metadata.csv overlap with those in the filter. When I leave the file empty, the filtered destination has the right value for index, but the default destination sends to lastchanceindex. With a populated splunk_metadata.csv and the selector filter in place, the opposite thing happens. How can I circumvent this?

[cwadhwani-splunk]

Could you please send me the splunk_metadatacsv file, the filters used (you can also send the whole folder /opt/sc4s/local) and a sample log that you are using to test this over my email address cwadhwani@splunk.com.

[rucete]

Done, thanks! I've double-checked the overlapping and I am confident it occurs as I described.