https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33344#M5965 <P>Fantastic answer! Thanks!!</P> Mon, 13 Aug 2012 21:45:25 GMT iunderwood 2012-08-13T21:45:25Z https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33341#M5962 <P>Here's an odd one I just noticed. I'm taking Syslog in from a Cisco PIX and I've got the input set up as such:</P> <PRE><CODE>[udp://5150] connection_host = dns sourcetype = syslog no_priority_stripping = true no_appending_timestamp = true </CODE></PRE> <P>I've also got a transform which changes the source type:</P> <PRE><CODE>[iu_cisco_pix] REGEX = %PIX-\d-[A-Z0-9_]+: DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::cisco_pix </CODE></PRE> <P>When I do a search on the source type, I see a number of entries where the host is changed to "bytes":</P> <P>&lt;166&gt;Aug 13 2012 11:20:54: %PIX-6-302014: Teardown TCP connection 19849033 for dmz:10.88.14.179/80 to inside:10.8.63.254/48574 duration 0:00:01 bytes 2528 TCP FINs</P> <P>host=bytes sourcetype=cisco_pix source=udp:5150 </P> <P>Most other lines are fine:</P> <P>&lt;166&gt;Aug 13 2012 11:54:09: %PIX-6-302013: Built outbound TCP connection 19853901 for dmz:10.88.14.179/80 (10.88.14.179/80) to inside:10.8.63.254/1183 (10.8.63.254/1183)</P> <P>host=eth1.pix-01.network sourcetype=cisco_pix source=udp:5150 </P> <P>Why does this happen?</P> <P>If I change the sourcetype to "cisco" in the input stanza, there are no problems.</P> Mon, 13 Aug 2012 15:57:03 GMT https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33341#M5962 iunderwood 2012-08-13T15:57:03Z https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33342#M5963 <P>I should mention that if I set the sourcetype in the input stanza to "cisco" instead of "syslog", the overwrites don't happen.</P> Mon, 13 Aug 2012 16:03:05 GMT https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33342#M5963 iunderwood 2012-08-13T16:03:05Z https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33343#M5964 <P>This is most likely due to the transform that rewrites the host field specifically for the "syslog" sourcetype. It's defined in <CODE>$SPLUNK_HOME/etc/system/local/transforms.conf</CODE> and looks like this:</P> <PRE><CODE>[syslog-host] DEST_KEY = MetaData:Host REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s FORMAT = host::$1 </CODE></PRE> <P>The reason for having this transform is that it's a pretty common scenario to have Splunk consume data from a syslog receiver that gets its events from loads of different hosts, so often in that case you'll want to have the host field set to where the events originally came from rather than where Splunk happened to read them.</P> <P>The sourcetype renaming happens after the host renaming, so this transform will take effect even though you have a transform that changes the sourcetype to something else than syslog immediately afterwards.</P> Mon, 13 Aug 2012 19:52:02 GMT https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33343#M5964 Ayn 2012-08-13T19:52:02Z https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33344#M5965 <P>Fantastic answer! Thanks!!</P> Mon, 13 Aug 2012 21:45:25 GMT https://community.splunk.com/t5/Getting-Data-In/Host-field-getting-overwritten-in-syslog-processing/m-p/33344#M5965 iunderwood 2012-08-13T21:45:25Z