Kiwi and Splunk

Question

Hi guys,

I've tried several transformations and even field extractor but I can't get Splunk to extract the hostname out of Kiwi's syslog files.

I have created the following transformation: (?i)^[^.]*.w+t(?P<host>[^t]+) using the field extractor but even after nuking the index I can't get it to extract the hostname/IP out of my .txt syslog files, we have 1 for each device rotated once a day.

I even created a new sourcetype with no luck.

Any ideas would be appreciated.

Thank you

Answer 1

Being a New Zealander , I feel compelled to answer :)

For the "host" field , you might want to consider performing an index time transform (via entrys in props.conf and transforms.conf)

props.conf

[kiwisourcetype]
TRANSFORMS-host=extract-kiwi-host

transforms.conf

[extract-kiwi-host]
DEST_KEY = MetaData:Host
REGEX = (?i)^[^.]*.w+t([^t]+)
FORMAT = host::$1

Can you also post an example from the syslog file so I can check the accuracy of your regex ?

Kiwi and Splunk

Follow this question

Splunk Resources

Related questions