Rahul Jha

Closing this issue , Doc will be updated if we will see more usecases on this.

Are u following the aforementioned guide https://splunk.github.io/splunk-connect-for-syslog/1566/gettingstarted/#offline-container-installation

offline documentation is updated and we didnt notice any issue.

we need pcap/raw data on the wire to reproduce the scenario, we haven't noticed this issue in any of our tests.

https://splunk.github.io/splunk-connect-for-syslog/main/experiments/ Use the property SC4S_USE_NAME_CACHE=yes to fix it, We dont think its because of upgrade.

The setting will help if it will send any event which is parsed correctly by sc4s.

also can you attach pcap/sanitized log with header so that we can see if you are receiving it on the wire and what is not working, alternatively you can reach...

Thanks it is enough for now, i will get back after reviewing all the provided input and attachment asap.

Can we have a real sample ( anonymised) ?

@harv-qq Apologies for missing it out, if the message is RFC5424 or RFC3164 there will no problem in assigning the right sourcetype and other default metadata, i just tested the...