Rahul Jha

@mshensg I will request you to test the feature mentioned in https://github.com/splunk/splunk-connect-for-syslog/pull/1794 , it should address it based on port ID and should work as required.

yes thats how it works , for special products data need to be sent to different port for the logic to work, for plugin.py yes i agree its not referenced...

list of the topics are https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/plugin/app_parser_topics.conf

We will check it, thank you for sharing the sample.

The logs you shared has no workable header, Kindly capture pcap, analyse it and sanitise and share, btw did you create the parser mentioned in docs https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Brocade/switch/ , you need...

Thank you so much for providing it , i will write a test case and release it post analysis this week, FYI @nandinivij @mkarlstrand-splunk @satellite-no

can you please attach pcap file?

Sure please provide the redacted logs(anonymized) log

Any update on pcap/redacted logs ?

I think the way as you described above can work, other way is splunk_metadata.csv with right key and third way is .conf in local/context/rewriters.