topic syslog parsing... in Getting Data In https://community.splunk.com/t5/Getting-Data-In/syslog-parsing/m-p/107867#M22677 <P>Hi,</P> <P>I need to process a syslog feed, but only keep certain hosts, and throw the rest away. </P> <P>I first setup the feed to process syslog and set the host to the incoming device, and everything looks ok. </P> <P>However, once I add the piece to parse the syslog, the naming of the host reverts back to the name of the server where the forwarder is running (running a heavy forwarder). I'm not sure why that is happening. Here are my props.conf and transforms.conf:</P> <P>props.conf:<BR /> [euc_syslogdata]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> SHOULD_LINEMERGE = False<BR /> TIME_FORMAT = %b %d %H:%M:%S<BR /> NO_BINARY_CHECK = 1<BR /> TRANSFORMs = syslog-host,setnull,setparsing</P> <P>transforms.conf:</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = [vc-]<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[syslog-host]<BR /> DEST_KEY = MetaData:Host<BR /> REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s<BR /> FORMAT = host::$1</P> Mon, 28 Sep 2020 13:13:21 GMT a212830 2020-09-28T13:13:21Z syslog parsing... https://community.splunk.com/t5/Getting-Data-In/syslog-parsing/m-p/107867#M22677 <P>Hi,</P> <P>I need to process a syslog feed, but only keep certain hosts, and throw the rest away. </P> <P>I first setup the feed to process syslog and set the host to the incoming device, and everything looks ok. </P> <P>However, once I add the piece to parse the syslog, the naming of the host reverts back to the name of the server where the forwarder is running (running a heavy forwarder). I'm not sure why that is happening. Here are my props.conf and transforms.conf:</P> <P>props.conf:<BR /> [euc_syslogdata]<BR /> MAX_TIMESTAMP_LOOKAHEAD = 32<BR /> SHOULD_LINEMERGE = False<BR /> TIME_FORMAT = %b %d %H:%M:%S<BR /> NO_BINARY_CHECK = 1<BR /> TRANSFORMs = syslog-host,setnull,setparsing</P> <P>transforms.conf:</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[setparsing]<BR /> REGEX = [vc-]<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[syslog-host]<BR /> DEST_KEY = MetaData:Host<BR /> REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?).\w+\s+)*[?(\w[\w.-]{2,})]?\s<BR /> FORMAT = host::$1</P> Mon, 28 Sep 2020 13:13:21 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-parsing/m-p/107867#M22677 a212830 2020-09-28T13:13:21Z Re: syslog parsing... https://community.splunk.com/t5/Getting-Data-In/syslog-parsing/m-p/107868#M22678 <P>I see a typo :</P> <P><CODE>TRANSFORMs = syslog-host,setnull,setparsing</CODE></P> <P>should be</P> <P><CODE>TRANSFORMS = syslog-host,setnull,setparsing</CODE></P> Fri, 01 Feb 2013 17:38:39 GMT https://community.splunk.com/t5/Getting-Data-In/syslog-parsing/m-p/107868#M22678 yannK 2013-02-01T17:38:39Z