All Apps and Add-ons

Unable to set host on index time

manderson7
Contributor

I'm bringing in Cisco Router logs via syslog and using the TA-Cisco_ios addon. I have some flaky log entries that I've massaged as much as I can when bringing it in, and now have to set the host from the log data. My logs look like:

Apr 24 14:07:28 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:30.191 EDT: **Entry  found in cache**
Apr 24 14:07:18 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:48:20.095 EDT: CDP-PA: version 2 packet sent out on Multilink1
Apr 24 14:06:41 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:44.175 EDT: BGP: topo global:VPNv4 Multicast:base Scanning routing tables
Apr 24 14:06:22 172.30.9.224 obfuscated-wan-0-gw: *Apr 24 13:47:24.963 EDT: CDP-PA: version 2 packet sent out on Multilink1

My props.conf looks like:

#Define hostname  
[sourcetype::cisco:ios]
Transforms-obfuscated-0-gw=define_host

and Transforms looks like

[define_host]
REGEX = ^(?:[^ \n]* ){4}([^:]+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

Can someone tell me where to go from here? That regex pulls the hostname according to regex101.

0 Karma
1 Solution

mikaelbje
Motivator

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

View solution in original post

mikaelbje
Motivator

I believe you need to change sourcetype::cisco:ios to cisco:ios in your props.conf

manderson7
Contributor

That did it for the most part, thanks! It's bringing in a couple more values for the host field, but that's probably due to my regex.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...