All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to set host on index time

manderson7
Contributor
‎04-25-2017 11:59 AM

I'm bringing in Cisco Router logs via syslog and using the TA-Cisco_ios addon. I have some flaky log entries that I've massaged as much as I can when bringing it in, and now have to set the host from the log data. My logs look like: 

Apr 24 14:07:28 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:30.191 EDT: **Entry  found in cache**
Apr 24 14:07:18 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:20.095 EDT: CDP-PA: version 2 packet sent out on Multilink1
Apr 24 14:06:41 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:44.175 EDT: BGP: topo global:VPNv4 Multicast:base Scanning routing tables
Apr 24 14:06:22 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:24.963 EDT: CDP-PA: version 2 packet sent out on Multilink1

My props.conf looks like: 

#Define hostname  
[sourcetype::cisco:ios]
Transforms-obfuscated-0-gw=define_host

and Transforms looks like

[define_host]
REGEX = ^(?:[^ \n]* ){4}([^:]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

Can someone tell me where to go from here? That regex pulls the hostname according to regex101.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎04-25-2017 12:28 PM

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

View solution in original post

Reply
Solved! Jump to solution
Solution

mikaelbje
Motivator
‎04-25-2017 12:28 PM

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

Reply
Solved! Jump to solution

manderson7
Contributor
‎04-25-2017 01:05 PM

That did it for the most part, thanks! It's bringing in a couple more values for the host field, but that's probably due to my regex.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...