splunk-connect-for-syslog icon indicating copy to clipboard operation
splunk-connect-for-syslog copied to clipboard

Published 20 hours ago verified publisher icon splunk

Why was the sourcetype changed on the isc dhcpd sourcetype??

Open dave-safian-kyndryl opened this issue 2 years ago • 3 comments

https://github.com/splunk/splunk-connect-for-syslog/pull/1772

Why did the sourcetype get changed from isc:dhcp to isc:dhcpd??

Docs indicate that it should be isc:dhcp https://splunk.github.io/splunk-connect-for-syslog/1555/sources/vendor/ISC/dhcpd/

Also the Splunk add-on to use with this datasource (as documented) should be isc:dhcp https://docs.splunk.com/Documentation/AddOns/released/ISCDHCP/Sourcetypes

dave-safian-kyndryl avatar Feb 13 '23 21:02 dave-safian-kyndryl

The document is not updated correct, we will fix it

If you need to change the sourcetype urgently please update splunk_metadata.csv and restart sc4s

isc_dhcpd,sourcetype,isc:dhcp

rjha-splunk avatar Feb 13 '23 22:02 rjha-splunk

What is going to be the fix then? Are you going to leave the default sourcetype isc:dhcp or are you leaving it isc:dhcpd? Because leaving it isc:dhcpd means that a workaround is required in order for this data source to work with the ISC DHCP app.. https://docs.splunk.com/Documentation/AddOns/released/ISCDHCP/Sourcetypes

dave-safian-kyndryl avatar Feb 14 '23 13:02 dave-safian-kyndryl

we are not going to change it to dhcp as it can impact other customers as well, what we are going to do is:

  1. Correct the doc
  2. Provide the local parser to override the oob parser if a customer needs it.

rjha-splunk avatar Feb 14 '23 13:02 rjha-splunk