Cisco UCM data is not getting sourcetyped correctly

[AParida23]

The CUCM data coming in from the syslog-ng server is getting indexed in the main index with the sc4s:fallback sourcetype. The documentation has UCM under known vendors with index ucm and sourcetype as cisco:ucm and upon checking the splunk_metadata.csv file , the index for the key cisco_ucm was specified as main which I changed to ucm but I still don't see data flowing into the ucm index. I have attached the events from Splunk. UCM Data.txt

Upon examining the code, I see that the format for the Cucm data in the filter is: application cisco_ucm[cisco_syslog] { filter { message('%UC_' type(string) flags(prefix)); or message('%CCM_' type(string) flags(prefix));

May I know if this is case sensitive? The raw message that I'm receiving in Splunk has the ccm in lower case. Can we add or message('%ccm_' type(string) flags(prefix)); to the test as well?

[rjha-splunk]

I will check it and get back

[AParida23]

Hi. Is there any update on this?

[rjha-splunk]

Looks like the message format is not as per standard, as we only have limited evidence here i dont want to change the default parser,I am providing you a workaround , please create a file in /opt/sc4s/local/config/filters/cisco_ucm-postfilter.conf

block parser app-cisco-cisco_ucm-postfilter() {
 channel {
        rewrite {
            r_set_splunk_dest_default(
                sourcetype('cisco:ucm')
                index('ucm')
                vendor('cisco')
                product('ucm')
            );
        };

   };
};
application app-cisco-cisco_ucm-postfilter[sc4s-postfilter] {
    filter {
        message('%UC_' type(string) flags(substring));
        or message('%CCM_' type(string) flags(substring));
    };  
    parser { app-cisco-cisco_ucm-postfilter(); };
};

Here i have mentioned index as ucm , please feel free to change it and restart sc4s after creating this file.