Getting Data In

Host does not get properly extracted for linux_secure


Host does not get properly extracted for linux_secure (I get the syslog server hostname instead)

I have tried many things:

  1. props.conf

    TRANSFORM = syslog-host

  2. props.conf

    TRANSFORM-host = syslog-host

  3. props.conf

    TRANSFORMS-zz_fix_host = syslog_add_fqdn


    DEST_KEY = MetaData:Host
    SOURCE_KEY = MetaData:Host
    REGEX = host::.
    FORMAT = host::testrename

None of these options work (including after restart).


If you issue the following command, what do you get for the [linux_secure] stanza?

$SPLUNK_HOME/bin/splunk btool --debug props list | more

Also, I wouldn't set the host name using a transform, when you can easily set it in props.conf, or even inputs.conf


This should work -- unless the system is supplying

TRANSFORMS = syslog-host

which it does for some known sourcetypes. The first command will help you figure that out.

Finally, a very important question: where is your props.conf? What is the location of the file? Configuration file precedence is very important in Splunk; if you understand it, great! But if not, take a look at Configuration File Precedence in the Admin manual.

Splunk Employee
Splunk Employee

Alexander, can you paste a sample of our syslog output here?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!