I am seeing many references about how the "syslog" sourcetype takes the hostname form the /var/log/messages logs, by design. However, we want FQDN. I am also pushing the Linux T/A via Deployment Server, so I cannot easily override etc/system/default/transforms.conf.
How do I get FQDN for ALL of my linux /var/log logs?
Thanks.
Hi @aferone,
If you want to override default syslog-host
stanza in transforms.conf then you can put your custom configuration in on Indexer/Heavy Forwarder in path $SPLUNK_HOME/etc/apps/<APP_NAME>/local/transforms.conf
this will take precedence compared to system/default
based on Configuration file precedence document
I will try this. I had remembered the order all wrong. Thanks for your response!