Archive
Highlighted

Hostname in /var/log/messages

Builder

All,

The default hostname should be fine for my use cases with /var/log/messages brought in with the pretrained sourcetype of linuxmessagessyslog. How ever there is a host overwrite in the default install of Splunk. Is there a formal way to disable this?

This stanza is in /opt/splunk/etc/system/default.

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

I was just going to create a local transforms.conf that uses a different variable,

[syslog-host]
DEST_KEY = MetaData:Extracted_Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

but figure I can't be the first person to run into this. So probably a better way to do it.

Tags (1)
0 Karma
Highlighted

Re: Hostname in /var/log/messages

Influencer

Find out and comment below line in props.conf under sourcetype or source matching /var/log/messages stanza and restart splunk.

TRANSFORMS-<some_unique_name> = syslog-host
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.