Hostname in /var/log/messages

daniel333 · ‎03-17-2020

All,

The default hostname should be fine for my use cases with /var/log/messages brought in with the pretrained sourcetype of linux_messages_syslog. How ever there is a host overwrite in the default install of Splunk. Is there a formal way to disable this?

This stanza is in /opt/splunk/etc/system/default.

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

I was just going to create a local transforms.conf that uses a different variable,

[syslog-host]
DEST_KEY = MetaData:Extracted_Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

but figure I can't be the first person to run into this. So probably a better way to do it.

manjunathmeti · ‎03-17-2020

Find out and comment below line in props.conf under sourcetype or source matching /var/log/messages stanza and restart splunk.

TRANSFORMS-<some_unique_name> = syslog-host

Hostname in /var/log/messages

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Hostname in /var/log/messages

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers