Archive
Highlighted

Hostname in /var/log/messages

Builder

All,

The default hostname should be fine for my use cases with /var/log/messages brought in with the pretrained sourcetype of linuxmessagessyslog. How ever there is a host overwrite in the default install of Splunk. Is there a formal way to disable this?

This stanza is in /opt/splunk/etc/system/default.

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

I was just going to create a local transforms.conf that uses a different variable,

[syslog-host]
DEST_KEY = MetaData:Extracted_Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

but figure I can't be the first person to run into this. So probably a better way to do it.

Tags (1)
0 Karma
Highlighted

Re: Hostname in /var/log/messages

Influencer

Find out and comment below line in props.conf under sourcetype or source matching /var/log/messages stanza and restart splunk.

TRANSFORMS-<some_unique_name> = syslog-host
0 Karma