Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hostname in /var/log/messages

daniel333
Builder
‎03-17-2020 01:01 PM

All,

The default hostname should be fine for my use cases with /var/log/messages brought in with the pretrained sourcetype of linux_messages_syslog. How ever there is a host overwrite in the default install of Splunk. Is there a formal way to disable this?

This stanza is in /opt/splunk/etc/system/default. 

[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

I was just going to create a local transforms.conf that uses a different variable, 

[syslog-host]
DEST_KEY = MetaData:Extracted_Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1

but figure I can't be the first person to run into this. So probably a better way to do it.

Tags (1)
0 Karma
Reply

manjunathmeti
Champion
‎03-17-2020 08:00 PM

Find out and comment below line in props.conf under sourcetype or source matching /var/log/messages stanza and restart splunk.

TRANSFORMS-<some_unique_name> = syslog-host
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
li.common.scroll-to.top