topic Re: After upgrading to Splunk 5, hostname field is incorrectly extracted in Getting Data In

After upgrading to Splunk 5, hostname field is incorrectly extracted

awaite_youzee — Tue, 27 Nov 2012 15:33:19 GMT

Hello,

I've been running Splunk 4 for about 2 years now, and I've been feeding it using syslog-ng to aggregate and filter incoming logs from remote hosts. This worked wonderfully, as long as we used the "keep_hostname(yes)" option in syslog-ng.

Now that I've upgraded to Splunk 5, Splunk appears to be setting the hostname field in search to the hostname of the log aggregator, not the original host. So now I've got 3 sets of timestamps, 2 hostnames in the log message itself, and an incorrect host field extraction.

How can I get Splunk to properly handle relayed syslog data, and properly extract the fields from the logs?

Re: After upgrading to Splunk 5, hostname field is incorrectly extracted

yannK — Tue, 27 Nov 2012 16:23:42 GMT

What is your sourcetype?
by default the syslog sourcetype extract the host from the events.

Re: After upgrading to Splunk 5, hostname field is incorrectly extracted

awaite_youzee — Tue, 27 Nov 2012 16:32:10 GMT

yes, I set the sourcetype to be "syslog", but it's extracting the hostname of the log aggregator, not the hostname of the source of the log message.

Re: After upgrading to Splunk 5, hostname field is incorrectly extracted

awaite_youzee — Thu, 29 Nov 2012 11:39:36 GMT

I have found a solution which works!

http://splunk-base.splunk.com/answers/5694/central-syslog-ng-server-extra-headers-and-field-extraction