All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does this transform (in pertained sourcetype from Splunk, not the TA) exists for this sourcetype?

wryanthomas
Contributor
‎05-13-2020 05:25 AM

Hi there. Could someone please explain why this transform (in pertrained sourcetype from Splunk, not the TA) exists for this sourcetype? It has the consequence of (in many cases) creating divergent host values for a single host, and we're wondering why Splunk has chosen to "bake it in" to do this.

Thanks for any insight.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-06-2022 11:22 PM

Well, ingesting /var/log/messages as a whole is not the best idea. By default many different  types of events land there and there is really no standard format. That's why the events can, and often will get "misparsed".

0 Karma
Reply

warwicks1
Engager
‎03-06-2022 11:05 PM

Not sure why it is there exactly but I understand the idea. I do not like the out of the box "syslog" sourcetype for many things, I prefer to instead create sourcetypes specific to the syslogs from the sources I am dealing with at each new client. Their are multiple syslog patterns used by various vendors and on top of that often I see them modified during collection/centalization.
There is a bunch of questionable stuff in the nix TA though, look at the eventtypes.conf for some terrible examples of eventtype searches. Ever looked at your logs and wondered why the os and unix and error tags show up on such a wide variety of things? Nix TA eventtypes out of the box is the answer.
Also not forcing more care to be take with the broad ingestion of directories like /var/log/ results in forcing Splunk to do a lot of sourcetype guessing and, in most places I have been, initially results in many incorrect sourcetypings.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...