SC4S forward logs to Splunk without date and hostname.

[Adpafer]

Hello,

I have rsyslog configured on my linuxPC that sends logs to SC4S and then SC4S forwards these logs to a given index. Logs received by SC4S look like this example:

<30>Dec 20 08:35:26 linuxPC dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint'

but when SC4S forwards them to Splunk, Splunk receives them with no date, time and host name:

dbus-daemon[533]: [system] Successfully activated service 'net.reactivated.Fprint'

Is there any way Splunk can receive the same log ?

thanks for help, regards, pawelF

[rjha-splunk]

SC4S extracts metadata and assigns it to the field , it is possible by writing an app-parsers.

Something like this can be used #1825