Getting Data In
Highlighted

Can't get FQDN for /var/log/messages with Deployment Server and Linux T/A

Builder

I am seeing many references about how the "syslog" sourcetype takes the hostname form the /var/log/messages logs, by design. However, we want FQDN. I am also pushing the Linux T/A via Deployment Server, so I cannot easily override etc/system/default/transforms.conf.

How do I get FQDN for ALL of my linux /var/log logs?

Thanks.

0 Karma
Highlighted

Re: Can't get FQDN for /var/log/messages with Deployment Server and Linux T/A

SplunkTrust
SplunkTrust

Hi @aferone,

If you want to override default syslog-host stanza in transforms.conf then you can put your custom configuration in on Indexer/Heavy Forwarder in path $SPLUNK_HOME/etc/apps/<APP_NAME>/local/transforms.conf this will take precedence compared to system/default based on Configuration file precedence document

Highlighted

Re: Can't get FQDN for /var/log/messages with Deployment Server and Linux T/A

Builder

I will try this. I had remembered the order all wrong. Thanks for your response!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.