All Apps and Add-ons

Unable to set host on index time

manderson7
Contributor

I'm bringing in Cisco Router logs via syslog and using the TA-Cisco_ios addon. I have some flaky log entries that I've massaged as much as I can when bringing it in, and now have to set the host from the log data. My logs look like:

Apr 24 14:07:28 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:30.191 EDT: **Entry  found in cache**
Apr 24 14:07:18 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:20.095 EDT: CDP-PA: version 2 packet sent out on Multilink1
Apr 24 14:06:41 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:44.175 EDT: BGP: topo global:VPNv4 Multicast:base Scanning routing tables
Apr 24 14:06:22 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:24.963 EDT: CDP-PA: version 2 packet sent out on Multilink1

My props.conf looks like:

#Define hostname  
[sourcetype::cisco:ios]
Transforms-obfuscated-0-gw=define_host

and Transforms looks like

[define_host]
REGEX = ^(?:[^ \n]* ){4}([^:]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

Can someone tell me where to go from here? That regex pulls the hostname according to regex101.

0 Karma
1 Solution

mikaelbje
Motivator

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

View solution in original post

mikaelbje
Motivator

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

manderson7
Contributor

That did it for the most part, thanks! It's bringing in a couple more values for the host field, but that's probably due to my regex.

0 Karma
Get Updates on the Splunk Community!

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...