https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164675#M33397 <P>Sourcetype=syslog results are picking up the short hostname from the /var/log/messages file. I tried to correct this per the instructions here : <A href="http://answers.splunk.com/answers/6895/can-i-prevent-the-default-index-time-extraction-for-the-host-field-to-occur-for-events-of-the-syslog-sourcetype">http://answers.splunk.com/answers/6895/can-i-prevent-the-default-index-time-extraction-for-the-host-field-to-occur-for-events-of-the-syslog-sourcetype</A></P> <P>Specifically, I now have a local/props.conf file. The contents are as follows:</P> <PRE><CODE>[syslog] TRANSFORMS = </CODE></PRE> <P>The output looks correct, TRANSFORMS is null. Yet the hostname is still getting set to the shortname, presumably from the shortname in the /var/log/messages file.</P> <P><CODE>splunk cmd btool props list syslog --debug<BR /> Splunk_TA_ [syslog]<BR /> system ANNOTATE_PUNCT = True<BR /> system BREAK_ONLY_BEFORE = <BR /> system BREAK_ONLY_BEFORE_DATE = True<BR /> .<BR /> .<BR /> system TIME_FORMAT = %b %d %H:%M:%S<BR /> system TRANSFORMS = <BR /> system TRUNCATE = 10000<BR /> .<BR /> .<BR /> </CODE></P> <P>Any ideas?</P> <P>Thanks,<BR /> Karla</P> Tue, 25 Feb 2014 13:06:26 GMT di2esysadmin 2014-02-25T13:06:26Z https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164675#M33397 <P>Sourcetype=syslog results are picking up the short hostname from the /var/log/messages file. I tried to correct this per the instructions here : <A href="http://answers.splunk.com/answers/6895/can-i-prevent-the-default-index-time-extraction-for-the-host-field-to-occur-for-events-of-the-syslog-sourcetype">http://answers.splunk.com/answers/6895/can-i-prevent-the-default-index-time-extraction-for-the-host-field-to-occur-for-events-of-the-syslog-sourcetype</A></P> <P>Specifically, I now have a local/props.conf file. The contents are as follows:</P> <PRE><CODE>[syslog] TRANSFORMS = </CODE></PRE> <P>The output looks correct, TRANSFORMS is null. Yet the hostname is still getting set to the shortname, presumably from the shortname in the /var/log/messages file.</P> <P><CODE>splunk cmd btool props list syslog --debug<BR /> Splunk_TA_ [syslog]<BR /> system ANNOTATE_PUNCT = True<BR /> system BREAK_ONLY_BEFORE = <BR /> system BREAK_ONLY_BEFORE_DATE = True<BR /> .<BR /> .<BR /> system TIME_FORMAT = %b %d %H:%M:%S<BR /> system TRANSFORMS = <BR /> system TRUNCATE = 10000<BR /> .<BR /> .<BR /> </CODE></P> <P>Any ideas?</P> <P>Thanks,<BR /> Karla</P> Tue, 25 Feb 2014 13:06:26 GMT https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164675#M33397 di2esysadmin 2014-02-25T13:06:26Z https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164676#M33398 <P>An additional related question . . . once I get this working the way I want, is it possible to change the hostname settings for data already indexed? Or this that just a ridiculous question?</P> Tue, 25 Feb 2014 14:48:58 GMT https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164676#M33398 di2esysadmin 2014-02-25T14:48:58Z https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164677#M33399 <P>To change already-indexed data you would need to remove it and re-index.</P> Tue, 25 Feb 2014 20:29:43 GMT https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164677#M33399 martin_mueller 2014-02-25T20:29:43Z https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164678#M33400 <P>As I suspected. Thanks Martin. </P> <P>Any suggestions on how to solve the problem I posed? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 27 Feb 2014 13:53:24 GMT https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164678#M33400 di2esysadmin 2014-02-27T13:53:24Z https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164679#M33401 <P>More information would be required to understand why this is not taking effect. First guess: did you make this change to props.conf on the forwarder? It needs to be configured on the indexer as the forwarder only handles the input stage. The following props.conf subset is applied on a universal/lightweight forwarder:</P> <BLOCKQUOTE> sourcetype CHARSET NO_BINARY_CHECK CHECK_METHOD CHECK_FOR_HEADER PREFIX_SOURCETYPE </BLOCKQUOTE> <P>Reference:<BR /> <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">Where do I configure my Splunk settings?</A></P> <P>Verify the above, along with the final sourcetype. Look for other transforms that are related to the source or other attributes. Reply to your open support case if none of this helps to resolve the issue.</P> Tue, 11 Mar 2014 20:00:42 GMT https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164679#M33401 jreuter_splunk 2014-03-11T20:00:42Z https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164680#M33402 <P>I did NOT make it on the indexer. Got it in one ! thanks.</P> Thu, 13 Mar 2014 11:33:31 GMT https://community.splunk.com/t5/Getting-Data-In/Removed-the-syslog-host-transform-but-hostname-is-still-getting/m-p/164680#M33402 di2esysadmin 2014-03-13T11:33:31Z