https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184457#M36946 <P>If the host name is part of the filename you can extract that with </P> <PRE><CODE>host_regex = &lt;reg_ex&gt; </CODE></PRE> <P>in your inputs.conf. If the name is not on the file name a transform it is.</P> Thu, 15 Jan 2015 16:44:07 GMT trsavela 2015-01-15T16:44:07Z https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184453#M36942 <P>Hi,</P> <P>i would like to strip the "Original Address" Text that splunk appends. How do i do this ? </P> <PRE><CODE>Original Address=xx.xx.x.x 1 2015-01-15T14:28:51.341+11:00......................................... </CODE></PRE> <P>Cheers</P> Thu, 15 Jan 2015 03:42:15 GMT https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184453#M36942 nishan_perera 2015-01-15T03:42:15Z https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184454#M36943 <P>I think Original Address data is actually present in the input before splunk gets it. This is a common thing for syslog implentations to do. Can you elaborate on why you think that splunk is appending this to your events/results?</P> Thu, 15 Jan 2015 04:32:46 GMT https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184454#M36943 chanfoli 2015-01-15T04:32:46Z https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184455#M36944 <P>when i check the syslog before it gets forwarded to splunk it looks like this.</P> <PRE><CODE>2015-01-14 00:00:06 Local0.Info xx.xx.xxx.xx 1 2015-01-13T23:59:04.196+11:00............. </CODE></PRE> <P>So splunk basically append "Original Address=" infront of the Source IP</P> Thu, 15 Jan 2015 04:38:02 GMT https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184455#M36944 nishan_perera 2015-01-15T04:38:02Z https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184456#M36945 <P>Hi nishan_perera,</P> <P>Like @chanfoli wrote, this caused by the forwarding syslog server. You can fix it in Splunk by using a transformation.<BR /> It should be done on the indexer(s). You will need two files, props.conf and transforms.conf, both of them in <STRONG>$SPLUNK_HOME/etc/system/local</STRONG>. I will assume that this is the only data that is coming from the syslog server, and that the syslog server is named syslogServer (for my example).</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[host::syslogServer] TRANSFORMS-t1=rename_host </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[rename_host] REGEX=Original Address\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) DEST_KEY=MetaData:Host FORMAT=host::$1 </CODE></PRE> <P>This transformation will be applied to data from the host as it is indexed. Data already in the index will not be affected.</P> <P>cheers, MuS</P> Thu, 15 Jan 2015 06:37:41 GMT https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184456#M36945 MuS 2015-01-15T06:37:41Z https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184457#M36946 <P>If the host name is part of the filename you can extract that with </P> <PRE><CODE>host_regex = &lt;reg_ex&gt; </CODE></PRE> <P>in your inputs.conf. If the name is not on the file name a transform it is.</P> Thu, 15 Jan 2015 16:44:07 GMT https://community.splunk.com/t5/Getting-Data-In/Strip-quot-Original-Address-quot-text-in-splunk/m-p/184457#M36946 trsavela 2015-01-15T16:44:07Z