Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Change hostname for syslog sourcetype ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to override the default hostname that is being set for the syslog entries on /var/log/messages. These are the only entries that are being indexed with 'hostname' instead of 'hostname.fqdn'
I have tried the following:
$SPLUNKHOME/etc/system/local/props.conf:
[syslog]
TRANSFORMS =
RESULT: No difference
$SPLUNKHOME/etc/system/local/props.conf:
[source::/var/log/messages]
# note: overriding default syslog transform!
TRANSFORMS = something
$SPLUNKHOME/etc/system/local/transforms.conf
[something]
DEST_KEY = MetaData:Host
REGEX = .
FORMAT = host::hostname.fqdn
RESULT: No difference
Am I missing something?
Thanks, John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You realize that once the events are indexed they will not be changed by any configuration change. You will have to restart, and then only newly loaded events will have any change.
Otherwise, it looks like what you are trying should work.
Update:
The one thing I'm not sure about is exactly how the TRANSFORMS is being overwritten. The default config for syslog, which I'm assuming it the sourcetype you are using, uses the "syslog-host" transformer to extract the "host" value from the event text. Of the top of my head, I'm not sure which setting should win in a source vs sourcetype matching precedent like this (normally I try to avoid this kind of conflict.) Using btool and splunk test sourcetype /var/log/messages could be shed some light on the situation.
Related answers:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You realize that once the events are indexed they will not be changed by any configuration change. You will have to restart, and then only newly loaded events will have any change.
Otherwise, it looks like what you are trying should work.
Update:
The one thing I'm not sure about is exactly how the TRANSFORMS is being overwritten. The default config for syslog, which I'm assuming it the sourcetype you are using, uses the "syslog-host" transformer to extract the "host" value from the event text. Of the top of my head, I'm not sure which setting should win in a source vs sourcetype matching precedent like this (normally I try to avoid this kind of conflict.) Using btool and splunk test sourcetype /var/log/messages could be shed some light on the situation.
Related answers:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer - using the related questions helped a lot. Also key piece of info was that SplunkLightForwarders do not apply transforms. The transforms get applied on the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I realize this. Even after the changes above the new syslog entries are still being indexed as hostname not as hostname.fqdn as I would expect.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
