Host does not get properly extracted for linux_sec...

alexander_lucas · ‎09-02-2011

Host does not get properly extracted for linux_secure (I get the syslog server hostname instead)

I have tried many things:

props.conf
[linux_secure] TRANSFORM = syslog-host
props.conf
[linux_secure] TRANSFORM-host = syslog-host
props.conf
[linux_secure] TRANSFORMS-zz_fix_host = syslog_add_fqdn
transforms.conf
[syslog_add_fqdn] DEST_KEY = MetaData:Host SOURCE_KEY = MetaData:Host REGEX = host::. FORMAT = host::testrename

None of these options work (including after restart).

lguinn2 · ‎09-03-2011

If you issue the following command, what do you get for the [linux_secure] stanza?

$SPLUNK_HOME/bin/splunk btool --debug props list | more

Also, I wouldn't set the host name using a transform, when you can easily set it in props.conf, or even inputs.conf

host=testrename

This should work -- unless the system is supplying

TRANSFORMS = syslog-host

which it does for some known sourcetypes. The first command will help you figure that out.

Finally, a very important question: where is your props.conf? What is the location of the file? Configuration file precedence is very important in Splunk; if you understand it, great! But if not, take a look at Configuration File Precedence in the Admin manual.

dmaislin_splunk · ‎09-02-2011

Alexander, can you paste a sample of our syslog output here?

Host does not get properly extracted for linux_secure

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation