Solved: Re: After upgrading to Splunk 5, hostname field is...

awaite_youzee · ‎11-27-2012

Hello,

I've been running Splunk 4 for about 2 years now, and I've been feeding it using syslog-ng to aggregate and filter incoming logs from remote hosts. This worked wonderfully, as long as we used the "keep_hostname(yes)" option in syslog-ng.

Now that I've upgraded to Splunk 5, Splunk appears to be setting the hostname field in search to the hostname of the log aggregator, not the original host. So now I've got 3 sets of timestamps, 2 hostnames in the log message itself, and an incorrect host field extraction.

How can I get Splunk to properly handle relayed syslog data, and properly extract the fields from the logs?

awaite_youzee · ‎11-29-2012

I have found a solution which works!

http://splunk-base.splunk.com/answers/5694/central-syslog-ng-server-extra-headers-and-field-extracti...

View solution in original post

awaite_youzee · ‎11-29-2012

I have found a solution which works!

http://splunk-base.splunk.com/answers/5694/central-syslog-ng-server-extra-headers-and-field-extracti...

yannK · ‎11-27-2012

What is your sourcetype?
by default the syslog sourcetype extract the host from the events.

awaite_youzee · ‎11-27-2012

yes, I set the sourcetype to be "syslog", but it's extracting the hostname of the log aggregator, not the hostname of the source of the log message.

After upgrading to Splunk 5, hostname field is incorrectly extracted

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation