RDTag Ignored when Forwarding to Splunk via Rdump
iamaleks opened this issue · 0 comments
iamaleks commented
Hello,
I have attempted to forward output via RDump to Splunk using the following command:
$ target-query [PATH_OF_IMAGE] -f users | rdump -w splunk://172.20.32.126:3000?rdtag=test123
[reading from stdin]
$I do not observe the RDTag in the output being sent to Splunk in transit (Following screenshot is from a PCAP of data sent in transit).
I also do not observe the RDTag in the data that is received by Splunk.
I only came across the ability to add the RDTag in the source code (https://github.com/fox-it/flow.record/blob/e234f617a4aab625808598385f4f5a4a4f68eea6/flow/record/adapter/splunk.py#L12).
Should the RDTag I specified be taking effect or have I done something wrong when executing the command?
PS: The version of the software I am using is as follows:
$ rdump --version
flow.record version 3.5