Getting Data In

Host does not get properly extracted for linux_secure

Path Finder

Host does not get properly extracted for linux_secure (I get the syslog server hostname instead)

I have tried many things:

  1. props.conf

    [linux_secure]
    TRANSFORM = syslog-host

  2. props.conf

    [linux_secure]
    TRANSFORM-host = syslog-host

  3. props.conf

    [linuxsecure]
    TRANSFORMS-zz
    fixhost = syslogaddfqdn

    transforms.conf

    [syslog
    addfqdn]
    DEST
    KEY = MetaData:Host
    SOURCE_KEY = MetaData:Host
    REGEX = host::.
    FORMAT = host::testrename

None of these options work (including after restart).

Legend

If you issue the following command, what do you get for the [linux_secure] stanza?

$SPLUNK_HOME/bin/splunk btool --debug props list | more

Also, I wouldn't set the host name using a transform, when you can easily set it in props.conf, or even inputs.conf

host=testrename

This should work -- unless the system is supplying

TRANSFORMS = syslog-host

which it does for some known sourcetypes. The first command will help you figure that out.

Finally, a very important question: where is your props.conf? What is the location of the file? Configuration file precedence is very important in Splunk; if you understand it, great! But if not, take a look at Configuration File Precedence in the Admin manual.

Splunk Employee
Splunk Employee

Alexander, can you paste a sample of our syslog output here?

0 Karma