splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

ARCHIVE_MODE setting not being honored

Open zyphermonkey opened this issue 3 years ago • 1 comments

I have enabled archive mode in the global env file, but it's not honoring my ARCHIVE_MODE setting and using the folder/file structure laid out in the docs.

env_file

SC4S_ARCHIVE_GLOBAL=yes
SC4S_GLOBAL_ARCHIVE_MODE=compliance

The docs say my structure should be <archive mount>/${YEAR}/${MONTH}/${DAY}/${fields.sc4s_vendor_product}_${YEAR}${MONTH}${DAY}${HOUR}${MIN}.log But mine is following the diode mode and ignoring my setting in env_file. <archive mount>/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-archive.log

Furthermore switching SC4S_GLOBAL_ARCHIVE_MODE to diode doesn't switch the structure either.

zyphermonkey avatar Jul 23 '21 16:07 zyphermonkey

@rfaircloth-splunk any update on this?

zyphermonkey avatar Sep 16 '21 14:09 zyphermonkey

fixed in 2.34.2 @zyphermonkey

rjha-splunk avatar Aug 30 '22 14:08 rjha-splunk