topic Re: Original_host in Splunk Enterprise

Original_host

Kiko — Thu, 25 Apr 2024 15:29:20 GMT

Original_host Filed extraction should be aligned if a Syslog server have different date/time format. The current filed extraction is defined based on your syslog server and I am positive that this app works only for a couple of Splunk customers.

Re: Original_host

PickleRick — Thu, 25 Apr 2024 17:58:08 GMT

Honestly? I have no idea what you're talking about. Could you be more specific?

Re: Original_host

Kiko — Thu, 25 Apr 2024 18:04:58 GMT

in the props.conf, the original_host extraction won't work for the majority of users - EXTRACT-original_host = \d+-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[\+\-]\d{2}:\d{2}\s(?<original_host>\S+)

original_host is I believe a crucial fiield, so all datamodels can work as expected

Re: Original_host

PickleRick — Thu, 25 Apr 2024 18:16:59 GMT

Ok. We have no context. You're writing as if we were supposed to know what you are talking about. You're posting in a Splunk Enterprise section of this forum, which is meant for questions specific to on-premise software functionality and issues. But you selected a specific add-on as a product you're referring to. In such case you should have posted in the 'All Apps and Add-ons' section. We do not have glass orbs and don't know what you mean 😉