Getting Data In

After upgrading to Splunk 5, hostname field is incorrectly extracted

awaite_youzee
Explorer

Hello,

I've been running Splunk 4 for about 2 years now, and I've been feeding it using syslog-ng to aggregate and filter incoming logs from remote hosts. This worked wonderfully, as long as we used the "keep_hostname(yes)" option in syslog-ng.

Now that I've upgraded to Splunk 5, Splunk appears to be setting the hostname field in search to the hostname of the log aggregator, not the original host. So now I've got 3 sets of timestamps, 2 hostnames in the log message itself, and an incorrect host field extraction.

How can I get Splunk to properly handle relayed syslog data, and properly extract the fields from the logs?

1 Solution

yannK
Splunk Employee
Splunk Employee

What is your sourcetype?
by default the syslog sourcetype extract the host from the events.

awaite_youzee
Explorer

yes, I set the sourcetype to be "syslog", but it's extracting the hostname of the log aggregator, not the hostname of the source of the log message.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...