Getting Data In
Highlighted

Can't get FQDN for /var/log/messages with Deployment Server and Linux T/A

Builder

I am seeing many references about how the "syslog" sourcetype takes the hostname form the /var/log/messages logs, by design. However, we want FQDN. I am also pushing the Linux T/A via Deployment Server, so I cannot easily override etc/system/default/transforms.conf.

How do I get FQDN for ALL of my linux /var/log logs?

Thanks.

0 Karma
Highlighted

Re: Can't get FQDN for /var/log/messages with Deployment Server and Linux T/A

SplunkTrust
SplunkTrust

Hi @aferone,

If you want to override default syslog-host stanza in transforms.conf then you can put your custom configuration in on Indexer/Heavy Forwarder in path $SPLUNK_HOME/etc/apps/<APP_NAME>/local/transforms.conf this will take precedence compared to system/default based on Configuration file precedence document

Highlighted

Re: Can't get FQDN for /var/log/messages with Deployment Server and Linux T/A

Builder

I will try this. I had remembered the order all wrong. Thanks for your response!

0 Karma