topic Re: Cannot change host field in syslog data in Getting Data In

Cannot change host field in syslog data

sunrise — Mon, 28 Sep 2020 17:28:04 GMT

Hi Splunkers,

I collect syslog（/var/log/messages） data by Universal Forwarder, not UDP like this.
Sep 3 12:42:16 ip-111-111-111-111 dhclient: bound to 111.111.111.111 -- renewal in 1414 seconds.

And I want to get this host field as FQDN "myhost", but I cannot do this.
Configuration files in indexers as following.

inputs.conf
[monitor:///var/log/messages]
index = mysyslog
host = myhost

props.conf
[host::ip-111-111-111-111]
TRANSFORMS-t1 = rename_myhost

transforms.conf
[rename_myhost]
REGEX = ^.*$
DEST_KEY = MetaData:Host
FORMAT = host::myhost

How can I will do this ?

Thank you for your help.

Re: Cannot change host field in syslog data

HiroshiSatoh — Wed, 03 Sep 2014 04:58:36 GMT

inputs.confでhostを指定するのではダメですか？

例）
[monitor:///var/log/messages]
disabled = false
sourcetype = syslog
host = myhost

Re: Cannot change host field in syslog data

sunrise — Wed, 03 Sep 2014 07:09:29 GMT

No I cannot do by that way.
I've already set host=myhost in inputs.conf file.

Re: Cannot change host field in syslog data

kristian_kolb — Wed, 03 Sep 2014 07:54:00 GMT

The problem is that while host=myhost is set in the input phase, data with the syslog sourcetype will be sent to a transform that rewrites the hostname to whatever comes after the timestamp in each event.

If you change the sourcetype to something other than syslog this host override will not happen.

Re: Cannot change host field in syslog data

saurabh_tek11 — Wed, 20 Dec 2017 07:35:52 GMT

@sunrise, @HiroshiSatoh @kristian.kolb Still it is unclear to me what would be correct settings in inputs, props and transforms.conf

is this correct ??
please correct me if i am not getting it right. Thanks for help!

inputs.conf
[monitor:///var/log/messages]
index = mysyslog
disabled = false
sourcetype = syslog
host = myhost

props.conf
[syslog]
TRANSFORMS-t1 = rename_myhost

transforms.conf
[rename_myhost]
REGEX = ^.*$
DEST_KEY = MetaData:Host
FORMAT = host::myhost

Re: Cannot change host field in syslog data

micahkemp — Wed, 20 Dec 2017 11:55:07 GMT

The above looks correct, but there is already a TRANSFORMS = syslog-host defined by default for the syslog sourcetype, which might occur after your transform, thus rewriting the host field again based on the contents of the syslog message.