sources for rsa is coming as program:$date

[lavanyakommineni]

Was the issue replicated by support? No

What is the sc4s version ? 3.27.0

Which operating system (including its version) are you using for hosting SC4S? ubuntu

Which runtime (Docker, Podman, Docker Swarm, BYOE, MicroK8s) are you using for SC4S? Docker

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support? upon request

Is the issue related to the environment of the customer or Software related issue? software related

Is it related to Data loss, please explain ? NA
Protocol? Hardware specs?

Last chance index/Fallback index? sc4s index

Is the issue related to local customization? No

Do we have all the default indexes created? yes

Describe the bug
all sources related rsa are being written as program:$date etc

To Reproduce
Steps to reproduce the behavior:
1.Go to '...' splunk SH cluster
2.Click on '....' query index=rsa sc4s_loghost=*
3.Scroll down to '....'
4.See error

[cwadhwani-splunk]

Hi @lavanyakommineni

Please create a support ticket and attach a PCAP file there so that we can get the raw logs to work this issue.

[cwadhwani-splunk]

Closing this issue as the reported issue is the way sc4s is designed and also due to unavailability of the PCAP file.