data is not going to defined sourcetype- Previous ticket #2510

[imsidr]

Was the issue replicated by support?

What is the sc4s version ? 3.19.0

Which operating system (including its version) are you using for hosting SC4S? docker container

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? docker

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?

Is the issue related to the environment of the customer or Software related issue? Not Sure

Is it related to Data loss, please explain ? Protocol? Hardware specs?

Last chance index/Fallback index? sc4s index

Is the issue related to local customization? Not sure

Do we have all the default indexes created? NA Describe the bug - the sourcetype is not the same as defined in parser. the data is ending up in cisco:ise:syslog sourcetype and i dont have any poc:syslog sourcetype configured but i see data for that too

block parser app-dest-cisco_ise-postfilter() { channel { rewrite { r_set_splunk_dest_default( index("cisco") sourcetype('cisco:ise') vendor("cisco") product("ise") ); }; }; }; application app-dest-cisco_ise-postfilter[sc4s-postfilter] { filter { host("ise*" type(glob) flags(ignore-case)); }; parser { app-dest-cisco_ise-postfilter(); }; };