All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ise_servername Returning as Host of Syslog Server

cboillot
Contributor
‎07-28-2025 08:54 AM

Currently we have our Cisco ISE devices being sent to a syslog server and then a forwarder is bringing that into Splunk. We are running into an issue where ise_servername is showing the device name, but the Syslog server name. What am I missing? How would I go about fixing this?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-28-2025 02:32 PM

Hi @cboillot 

In that case, you could use props/transforms like this on the first HF/Indexer that the data hits:

# props.conf
[your_sourcetype]
TRANSFORMS-host = ise_host_extraction

# transforms.conf
[ise_host_extraction]
# https://regex101.com/r/7VrxpN/1
REGEX = ^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

livehybrid_0-1753738327418.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PrewinThomas
Motivator
‎07-28-2025 11:18 PM

@cboillot 

If you are using syslog-ng, it is preferable to use the host_segment option to extract the host value. This approach helps avoid potential future issues caused by changes in hostname naming conventions or logging patterns that might break regex-based extraction.

You can configure the destination stanza in your syslog configuration file to include the device IP address dynamically in the log file path. Additionally, you can use the host_segment setting to extract the host value for indexing in Splunk.

syslog-ng .conf file
Eg: for destination stanza //Macro might be different if you are using rsyslog or any other

destination d_device_logs {
file("/var/log/syslog/$SOURCEIP/${YEAR}-${MONTH}-${DAY}.log");
};

And update inputs.conf with host_segment
eg:

[monitor:///var/log/syslog/...]
host_segment = 4


But if you want to stick with regex extraction then use,

props.conf
[cisco:ise:syslog]
TRANSFORMS-set_host = ise_host_override

transforms.conf
[ise_host_override]
REGEX = ^\w+\s+\d+\s+\d+:\d+:\d+\.\d+\s+(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎07-28-2025 09:22 AM

Hi @cboillot

Does the host value have the correct source name, or does this show the syslog server too? 

Does the syslog server write the files to a folder structure that contains the source hostname that you need within it? e.g. /var/log/syslog/<deviceName/blah.log? 

If so you would be able to use the host_segment value https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf#:~:text=host_regex%27.%0A*%20No%... to specify the host as the source of the log.

AFAIK, ise_servername ultimately comes from the 'host' field. If you cannot do the host_segment then another option is to use a REGEX props/transform to extract this from the raw event (assuming it is present there)? If the other option isnt possible and you'd like some further help wrtiting this then please provide a sample event.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-28-2025 09:33 AM

Thanks. The server name is not in the sourcepath, but it is in the log right after the date.

Jul 27 23:01:51.020755 SDNWISEP0077 0018346907 (...)

I tried to use extract field from the event view, but that didn't work

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎07-28-2025 02:32 PM

Hi @cboillot 

In that case, you could use props/transforms like this on the first HF/Indexer that the data hits:

# props.conf
[your_sourcetype]
TRANSFORMS-host = ise_host_extraction

# transforms.conf
[ise_host_extraction]
# https://regex101.com/r/7VrxpN/1
REGEX = ^\S+\s+\S+\s+\S+\s+(\S+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

livehybrid_0-1753738327418.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Solved! Jump to solution

cboillot
Contributor
‎07-29-2025 10:15 AM

I'm going to have to go down the Regex path as the Networking team doesn't want to change how their side is set up.

I want to double check, this would go on the indexer, correct? I missed the "on the first HF/Indexer"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...