Getting Data In

Set hostname correctly for SYSLOG input coming into Forwarder

castle1126
Communicator

I have a Linux forwarder running Splunk 4.1.2. This system uses TCP ports to listen for SYSLOG data from certain devices. When the log data comes in via these ports they are indexed nicely in Splunk. But the host value for these events are set to the Forwarder's host name. Is there a way I can REGEX the incoming SYSLOG information to grab the IP address near the beginning of the SYSLOG data, and set the host to this value?

Thanks!

Tags (1)
1 Solution

tgow
Splunk Employee
Splunk Employee

Modifying the props.conf and transforms.conf on the Splunk Indexer should do the trick.

Configure a dynamically extracted host name for any source or sourcetype via transforms.conf and props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual. Edits to transforms.conf

Add your custom stanza to $SPLUNK_HOME/etc/system/local/transforms.conf. Configure your stanza as follows:

[$UNIQUE_STANZA_NAME] DEST_KEY = MetaData:Host REGEX = $YOUR_REGEX FORMAT = host::$1

Fill in the stanza name and the regex fields with the correct values for your data.

Leave DEST_KEY = MetaData:Host to write a value to the host:: field. FORMAT = host::$1 writes the REGEX value into the host:: field.

Note: Name your stanza with a unique identifier (so it is not confused with a stanza in $SPLUNK_HOME/etc/system/default/transforms.conf). Edits to props.conf

Create a stanza in $SPLUNK_HOME/etc/system/local/props.conf to map the transforms.conf regex to the source type in props.conf.

[] TRANSFORMS-$name=$UNIQUE_STANZA_NAME

can be:

  1. , the sourcetype of an event
  2. host::, where is the host for an event
  3. source::, where is the source for an event

$name is whatever unique identifier you want to give to your transform.

$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.

Note: Optionally add any other valid attribute/value pairs from props.conf when defining your stanza. This assigns the attributes to the you have set. For example, if you have custom line-breaking rules to set for the same , append those attributes to your stanza.

Follow this link for some great examples:

http://www.splunk.com/base/Documentation/4.1.5/admin/Setthevalueofhostbasedoneventdata

View solution in original post

tgow
Splunk Employee
Splunk Employee

Modifying the props.conf and transforms.conf on the Splunk Indexer should do the trick.

Configure a dynamically extracted host name for any source or sourcetype via transforms.conf and props.conf. Edit these files in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual. Edits to transforms.conf

Add your custom stanza to $SPLUNK_HOME/etc/system/local/transforms.conf. Configure your stanza as follows:

[$UNIQUE_STANZA_NAME] DEST_KEY = MetaData:Host REGEX = $YOUR_REGEX FORMAT = host::$1

Fill in the stanza name and the regex fields with the correct values for your data.

Leave DEST_KEY = MetaData:Host to write a value to the host:: field. FORMAT = host::$1 writes the REGEX value into the host:: field.

Note: Name your stanza with a unique identifier (so it is not confused with a stanza in $SPLUNK_HOME/etc/system/default/transforms.conf). Edits to props.conf

Create a stanza in $SPLUNK_HOME/etc/system/local/props.conf to map the transforms.conf regex to the source type in props.conf.

[] TRANSFORMS-$name=$UNIQUE_STANZA_NAME

can be:

  1. , the sourcetype of an event
  2. host::, where is the host for an event
  3. source::, where is the source for an event

$name is whatever unique identifier you want to give to your transform.

$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.

Note: Optionally add any other valid attribute/value pairs from props.conf when defining your stanza. This assigns the attributes to the you have set. For example, if you have custom line-breaking rules to set for the same , append those attributes to your stanza.

Follow this link for some great examples:

http://www.splunk.com/base/Documentation/4.1.5/admin/Setthevalueofhostbasedoneventdata

castle1126
Communicator

To test with I added the PROPS and TRANSFORMS to my Forwarder (not running light forwarder) and the host field did change correctly. Thanks for this information it was very helpful!

0 Karma

castle1126
Communicator

So you would not add these settings to PROPS and TRANSFORMS on the system running Splunk Forwarder?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...