Solved: Can I prevent the default index-time extraction fo...

hexx · ‎09-16-2010

I have several lightweight forwarders collecting syslog data from files in their respective /var/log/ directories and forwarding it all to one indexer.

For some of them, the hostname written in the files of /var/log/ differs from the system hostname (uname -n) set for the forwarder. This is intended.

I would like my indexer to always set the value of the "host" field of those events to the hostname of the forwarder sending them, NOT to extract that value from the contents of the file.

How can I achieve this?

hexx · ‎09-16-2010

The value of the "host" field for events of the "syslog" sourcetype is extracted using the "syslog-host" transform.

The transform is called in $SPLUNK_HOME/etc/system/default/props.conf :

[syslog]
pulldown_type = true 
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

The index-time filed extraction transform is defined $SPLUNK_HOME/etc/system/default/transforms.conf.

The easiest way to prevent that extraction from happening is to suppress the call of the transform by populating the $SPLUNK_HOME/etc/system/local/props.conf file in the following way :

[syslog]
TRANSFORMS =

This will result in the following effective configuration stanza for props.conf, which shows we have overwritten the TRANSFORMS used for the "syslog" sourcetype :

# $SPLUNK_HOME/bin/splunk cmd btool props list syslog --debug
system [syslog]
system BREAK_ONLY_BEFORE =
system BREAK_ONLY_BEFORE_DATE = True
system CHARSET = UTF-8
system DATETIME_CONFIG = /etc/datetime.xml
(...)
system TIME_FORMAT = %b %d %H:%M:%S
system TRANSFORMS =
system TRUNCATE = 10000
system maxDist = 3
system pulldown_type = true

After a restart of Splunk, the indexer will use the source ip/hostname of the forwarder that sent that data to populate the "host" field.

View solution in original post

hexx · ‎09-16-2010

The value of the "host" field for events of the "syslog" sourcetype is extracted using the "syslog-host" transform.

The transform is called in $SPLUNK_HOME/etc/system/default/props.conf :

[syslog]
pulldown_type = true 
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False

The index-time filed extraction transform is defined $SPLUNK_HOME/etc/system/default/transforms.conf.

The easiest way to prevent that extraction from happening is to suppress the call of the transform by populating the $SPLUNK_HOME/etc/system/local/props.conf file in the following way :

[syslog]
TRANSFORMS =

This will result in the following effective configuration stanza for props.conf, which shows we have overwritten the TRANSFORMS used for the "syslog" sourcetype :

# $SPLUNK_HOME/bin/splunk cmd btool props list syslog --debug
system [syslog]
system BREAK_ONLY_BEFORE =
system BREAK_ONLY_BEFORE_DATE = True
system CHARSET = UTF-8
system DATETIME_CONFIG = /etc/datetime.xml
(...)
system TIME_FORMAT = %b %d %H:%M:%S
system TRANSFORMS =
system TRUNCATE = 10000
system maxDist = 3
system pulldown_type = true

After a restart of Splunk, the indexer will use the source ip/hostname of the forwarder that sent that data to populate the "host" field.

Can I prevent the default index-time extraction for the "host" field to occur for events of the "syslog" sourcetype?

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification