topic Re: How to fix Splunk from incorrectly extracting hostname field in syslog events? in Splunk Search

How to fix Splunk from incorrectly extracting hostname field in syslog events?

krusty — Fri, 20 Jan 2017 08:59:52 GMT

Hi there,

we have an issue with hostname extraction from syslog events.
Normaly the extraction works fine, but for some sources it wont.

The event is shown as follows:
<186>13286: : : 7499: full.qualified.domainname: Jan 20 2017 08:44:06 AM.938 UTC : %UC_RTMT-2-RTMT_ALERT:....

And splunk extract AM.938 as the host field.

With other syslog Events like this:
<187>4265: : : 3147: full.qualified.domainname: Jan 20 2017 08:50:11.151 UTC : %UC_CALLMANAGER
the hostname is extracted as full.qualified.domainname.

How can I can I change the hostname extraction for the first event example?
Both events arrive the Splunk indexer via UDP and port 514. So I couldn't change the global extraction rule.

For me the problem is located at the timestamp. The first example event has AM/PM in it and the second example not. But I don't know where it comes from.

Re: How to fix Splunk from incorrectly extracting hostname field in syslog events?

gcusello — Fri, 20 Jan 2017 09:16:38 GMT

hi krusty,
can you share the host regex?
every way, you should try to use a regex like \<\d+\>\d+:\s:\s:\s\d+:\s(?<hostname>[^:]*): to extract te correct host
(see https://regex101.com/r/ZDCObt/1).
Bye.
Giuseppe

Re: How to fix Splunk from incorrectly extracting hostname field in syslog events?

krusty — Fri, 20 Jan 2017 10:34:15 GMT

hi Giuseppe,

thanks for your answer.
Indeed I have to enter the following entry to my transforms.conf and props.conf.

transforms.conf
[change_host_cuc]
SOURCE_KEY = _raw
REGEX = \<\d+\>[\d\s]+\:[\d\s]+\:[\d\s]+\:[\d\s]+\:\s(cuc\d+[^:]*):
DEST_KEY = MetaData:Host
FORMAT = host::$1
WRITE_META = true

props.conf
[syslog]
...
TRANSFORMS-cuc = change_host_cuc
...

So your idea to change the regex was perfect.
Many thanks for this.

Could you tell me also how to change the timeformat for the events during indexing?
As you can see, the event is in US timeformat but all other events are in 24h Format. If it's possible I'd like to uniform this.

Kind regards

Re: How to fix Splunk from incorrectly extracting hostname field in syslog events?

gcusello — Fri, 20 Jan 2017 10:37:09 GMT

Probably the best way is to pre-parse your syslog, before Splunk acquiring.
Bye.
Giuseppe

Re: How to fix Splunk from incorrectly extracting hostname field in syslog events?

aaraneta_splunk — Sat, 21 Jan 2017 03:11:30 GMT

@krusty - Did the answer provided by cusello help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

Re: How to fix Splunk from incorrectly extracting hostname field in syslog events?

john_byun — Sat, 18 Mar 2017 00:05:12 GMT

We have the same issue, but only from one type of device. If I apply this setting, will it affect all other syslogs coming into Splunk?

Re: How to fix Splunk from incorrectly extracting hostname field in syslog events?

gcusello — Sat, 08 Jul 2017 06:14:38 GMT

Hi john.byun,
I don't know your situation, but usually it depends by the appliance, we used preparsing in many situations.
Bye.
Giuseppe

Re: How to fix Splunk from incorrectly extracting hostname field in syslog events?

dingonet — Sat, 17 Jul 2021 14:25:38 GMT

while I use this case to resolve the hostname,it returned host as "$1" ,why?