topic Re: Change hostname for syslog sourcetype ? in Getting Data In

Change hostname for syslog sourcetype ?

frankejj — Tue, 09 Nov 2010 05:01:31 GMT

Hi,

I am trying to override the default hostname that is being set for the syslog entries on /var/log/messages. These are the only entries that are being indexed with 'hostname' instead of 'hostname.fqdn'

I have tried the following:
   $SPLUNKHOME/etc/system/local/props.conf:
      [syslog]
      TRANSFORMS =

RESULT: No difference

   $SPLUNKHOME/etc/system/local/props.conf:
     [source::/var/log/messages]
     # note: overriding default syslog transform!
     TRANSFORMS = something

   $SPLUNKHOME/etc/system/local/transforms.conf
     [something]
     DEST_KEY = MetaData:Host
     REGEX = .
     FORMAT = host::hostname.fqdn

RESULT: No difference

Am I missing something?

Thanks, John

Re: Change hostname for syslog sourcetype ?

Lowell — Tue, 09 Nov 2010 05:29:57 GMT

You realize that once the events are indexed they will not be changed by any configuration change. You will have to restart, and then only newly loaded events will have any change.

Otherwise, it looks like what you are trying should work.

Update:

The one thing I'm not sure about is exactly how the TRANSFORMS is being overwritten. The default config for syslog, which I'm assuming it the sourcetype you are using, uses the "syslog-host" transformer to extract the "host" value from the event text. Of the top of my head, I'm not sure which setting should win in a source vs sourcetype matching precedent like this (normally I try to avoid this kind of conflict.) Using btool and splunk test sourcetype /var/log/messages could be shed some light on the situation.

Re: Change hostname for syslog sourcetype ?

frankejj — Tue, 09 Nov 2010 20:28:17 GMT

Yes, I realize this. Even after the changes above the new syslog entries are still being indexed as hostname not as hostname.fqdn as I would expect.

Re: Change hostname for syslog sourcetype ?

frankejj — Thu, 11 Nov 2010 00:07:05 GMT

Thanks for the answer - using the related questions helped a lot. Also key piece of info was that SplunkLightForwarders do not apply transforms. The transforms get applied on the indexer.