I've tried several transformations and even field extractor but I can't get Splunk to extract the hostname out of Kiwi's syslog files.
I have created the following transformation: (?i)^[^.]*.w+t(?P<host>[^t]+) using the field extractor but even after nuking the index I can't get it to extract the hostname/IP out of my .txt syslog files, we have 1 for each device rotated once a day.
I even created a new sourcetype with no luck.
Any ideas would be appreciated.
asked 04 Jun '12, 14:21
Being a New Zealander , I feel compelled to answer :)
For the "host" field , you might want to consider performing an index time transform (via entrys in props.conf and transforms.conf)
Can you also post an example from the syslog file so I can check the accuracy of your regex ?
answered 04 Jun '12, 15:08