Solved: How can I show the host values under selected fiel...

pil321 · ‎08-25-2017

I'm currently forwarding all network device logs (syslog) from a syslog server (rsyslog - running on RHEL 7) to an indexer via universal forwarder (UF). The logs are making it to the indexer (index=syslog), but under 'selected fields' on the 'search & reporting' app no host name is being shown (?), just source and sourcetype.

Has anyone ever seen anything like this?

somesoni2 · ‎08-25-2017

You can update which fields come under section 'selected fields'. Click on 'All fields' link on top of field sidebar, then select the checkbox against the fields that you want to show in selected fields.

View solution in original post

somesoni2 · ‎08-25-2017

You can update which fields come under section 'selected fields'. Click on 'All fields' link on top of field sidebar, then select the checkbox against the fields that you want to show in selected fields.

pil321 · ‎08-25-2017

Wow! It was that simple! I've never seen it do this before though - it usually just defaults to that.

Thanks @somesoni2!

somesoni2 · ‎08-25-2017

Glad it worked out for you. Do remember to close the question so that any future reader with similar issue can reference it.

pil321 · ‎08-25-2017

Will do. Thanks again!

Grumpalot · ‎08-25-2017

@pil321 did you set the host_segment inside of your inputs.conf? I would think it would default to the actual UF device if one isn't designated, but it could be possible it doesn't.

pil321 · ‎08-25-2017

thanks for the reply @Grumpalot - it's set (host_segment = 3).

How can I show the host values under selected fields for syslog?

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability