https://community.splunk.com/t5/Getting-Data-In/setting-hostname-via-syslog/m-p/28993#M4995 <P><A href="http://splunk-base.splunk.com/answers/38284/how-do-i-set-hostname-without-syslog">http://splunk-base.splunk.com/answers/38284/how-do-i-set-hostname-without-syslog</A><BR /> -inputs.conf</P> <P>[monitor:///var/log/HOSTS/...]</P> <P>disabled = 0</P> <P>followTail = 0</P> <P>sourcetype = syslog</P> <P>-props.conf</P> <P>[ syslog ]</P> <P>TRANSFORMS-t1 = rename_host</P> <P>-transforms.conf</P> <P>[rename_host]</P> <P>REGEX = s_local@([^s]+)</P> <P>FORMAT = host::$1</P> <P>DEST_KEY = MetaData:Host</P> Thu, 08 Aug 2013 17:56:25 GMT davecroto 2013-08-08T17:56:25Z https://community.splunk.com/t5/Getting-Data-In/setting-hostname-via-syslog/m-p/28992#M4994 <P>Hi,</P> <P>I have a feed that is collecting data and resending it to Splunk via syslog. I'd like to extract the hostname from the message, not the device sending the message. </P> <P>If my feed was like this, and I wanted to extract it from agentmachine=... (up to the next pipe, but no $), how would I do that?</P> <P>2013-08-08T11:06:40-04:00 1.2.3.4 blahblahblah eventid=675|agentmachine=XXX\AAAAA$|auditmachine=|category=9|ClientDomain=|clientUser=SDFSDF|clientlogonid=0|clientsid=S-1-5-21-1343024091-606747145-1801674531-1091404|collectiontime=8/8/2013 3:06:37 PM|creationtime=8/8/2013 3:06:36 PM|flags=1|headerDomain=AAAA|headersid=S-1-5-18|headeruser=SYSTEM|Primarydomain=|PrimaryLogonID=0|primarysid=|primaryuser=|targetDomain=|targetsid=|targetuser=|sequenceno=3514421565|source=Security|string01=krbtgt/BMI|string02=0x0|string03=0x19|string04=1.2.3.4|string05=|string06=|string07=|string08=|string09=|string10=|string11=|string12=|string13=|string14=|string15=|string16=|string17=|string18=|string19=|string20=|string21=|string22=|type=16|listenerName=AD-Kerberos-PreAuthFailed</P> Thu, 08 Aug 2013 15:39:14 GMT https://community.splunk.com/t5/Getting-Data-In/setting-hostname-via-syslog/m-p/28992#M4994 a212830 2013-08-08T15:39:14Z https://community.splunk.com/t5/Getting-Data-In/setting-hostname-via-syslog/m-p/28993#M4995 <P><A href="http://splunk-base.splunk.com/answers/38284/how-do-i-set-hostname-without-syslog">http://splunk-base.splunk.com/answers/38284/how-do-i-set-hostname-without-syslog</A><BR /> -inputs.conf</P> <P>[monitor:///var/log/HOSTS/...]</P> <P>disabled = 0</P> <P>followTail = 0</P> <P>sourcetype = syslog</P> <P>-props.conf</P> <P>[ syslog ]</P> <P>TRANSFORMS-t1 = rename_host</P> <P>-transforms.conf</P> <P>[rename_host]</P> <P>REGEX = s_local@([^s]+)</P> <P>FORMAT = host::$1</P> <P>DEST_KEY = MetaData:Host</P> Thu, 08 Aug 2013 17:56:25 GMT https://community.splunk.com/t5/Getting-Data-In/setting-hostname-via-syslog/m-p/28993#M4995 davecroto 2013-08-08T17:56:25Z