topic Re: syslog field over-rides host_segment in Getting Data In

syslog field over-rides host_segment

inglisn — Wed, 23 May 2012 13:12:26 GMT

Hi,

I have a syslog server (Centos 6) with splunk 4.3.1 that receives syslog using the rsyslog daemon. The folder structure is /var/log/remote/1.2.3.4/syslog.log and I want to use the source IP address as the 'host' field.

The docs say to use host_segment, which I've done (inputs.conf shown below) but this seems to be ignored in favour of the syslog event hostname which could be IP, or could be hostname.

[monitor:///var/log/remote]
blacklist = *.gz
disabled = false
followTail = 0
index = test
sourcetype = syslog
whitelist = *.log
host_segment = 4

I've also tried manually setting it to a fixed string, and it still prefers the syslog headings. Sometimes the syslog message is that the last message repeated n times, in which case host=last.

Thanks

Re: syslog field over-rides host_segment

ziegfried — Wed, 23 May 2012 13:30:09 GMT

You can disable the syslog-host transform for the syslog sourcetype by adding the following stanza to your $SPLUNK_HOME/etc/system/local/props.conf

[syslog]
TRANSFORMS =

Re: syslog field over-rides host_segment

dshpritz — Wed, 23 May 2012 15:05:23 GMT

More info:

http://blogs.splunk.com/2008/04/16/overriding-default-syslog-host-extraction/

Re: syslog field over-rides host_segment

inglisn — Fri, 25 May 2012 12:51:58 GMT

Worked a treat. Thanks.

Re: syslog field over-rides host_segment

bnorthway — Fri, 26 Jun 2015 20:13:04 GMT

I have the same problem (Why isn't this in the official docs for host_segment?) but I don't want to change all events of the syslog sourcetype. What should I do?