https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555240#M91981 <P>HI</P><P>That method wat&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp;proposal works well, but how to implement it to your environment depends on how you are takin those logs in splunk. Are you using directly UDP/TCP port on forwarder or are you reading those on filesystem (as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp;supposed) and his those are divided on FS if they are there.</P><P>r. Ismo</P> Thu, 10 Jun 2021 07:36:17 GMT isoutamo 2021-06-10T07:36:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/554620#M91903 <P>We are ingesting syslog data via syslog server and have configured host overriding on the local UF to show host field value as the originating host.</P><P>Because we have syslog data from multiple syslog servers, I would like to be able to identify which syslog server is sending what syslog data.</P><P>I recall there was a way to configure some metadata field to extract and apply the transform for creating a new host field for intermediate forwarder, but I dont recall how I did it.</P><P>Can someone please advise how to do this ?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 07 Jun 2021 01:41:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/554620#M91903 dm1 2021-06-07T01:41:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555214#M91978 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233960">@dm1</a>&nbsp;</P><P>You can use INGEST_EVAL to create index time field in transforms.conf and refer the same in props.conf on HF/indexer.&nbsp;</P><P>It works similar to eval, your syslog sever name should be part of one of the deault fields (host, source)/_raw. Refer -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/transformsconf#transforms.conf.example" target="_blank">transforms.conf - Splunk Documentation</A></P><P>---</P><P>An upvote would be appreciated if it helps!</P> Thu, 10 Jun 2021 03:32:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555214#M91978 venkatasri 2021-06-10T03:32:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555220#M91979 <P>Can you please give an example on how this can be achieved using ingest_eval ?</P> Thu, 10 Jun 2021 05:27:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555220#M91979 dm1 2021-06-10T05:27:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555223#M91980 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233960">@dm1</a></P><P>Following should be deployed to HF/indexer. Assuming here your source field having syslog_server_host.. it could be _raw as well.</P><P>syslog_server field will be indexed.</P><P>&nbsp;</P><LI-CODE lang="markup"># props.conf [sourcetype_name_here/source::/host::] TRANSFORM-set_syslogs = index-syslog-host #transforms.conf # INGEST_EVAL works same as EVAL [index-syslog-host] INGEST_EVAL = syslog_server=mvindex(split(source,"/"),3)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>UI version of testing of EVAL.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="venkatasri_0-1623303680966.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14566i9A7A7AB56C32F266/image-size/medium?v=v2&amp;px=400" role="button" title="venkatasri_0-1623303680966.png" alt="venkatasri_0-1623303680966.png" /></span></P><P>----</P><P>An upvote would be appreciated if it helps!</P> Thu, 10 Jun 2021 05:45:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555223#M91980 venkatasri 2021-06-10T05:45:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555240#M91981 <P>HI</P><P>That method wat&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp;proposal works well, but how to implement it to your environment depends on how you are takin those logs in splunk. Are you using directly UDP/TCP port on forwarder or are you reading those on filesystem (as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163730">@venkatasri</a>&nbsp;supposed) and his those are divided on FS if they are there.</P><P>r. Ismo</P> Thu, 10 Jun 2021 07:36:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-field-to-represent-intermediate-forwarder-for/m-p/555240#M91981 isoutamo 2021-06-10T07:36:17Z