Getting Data In

How can I show the host values under selected fields for syslog?

pil321
Communicator

I'm currently forwarding all network device logs (syslog) from a syslog server (rsyslog - running on RHEL 7) to an indexer via universal forwarder (UF). The logs are making it to the indexer (index=syslog), but under 'selected fields' on the 'search & reporting' app no host name is being shown (?), just source and sourcetype.

Has anyone ever seen anything like this?

0 Karma
1 Solution

somesoni2
Revered Legend

You can update which fields come under section 'selected fields'. Click on 'All fields' link on top of field sidebar, then select the checkbox against the fields that you want to show in selected fields.

View solution in original post

0 Karma

somesoni2
Revered Legend

You can update which fields come under section 'selected fields'. Click on 'All fields' link on top of field sidebar, then select the checkbox against the fields that you want to show in selected fields.

0 Karma

pil321
Communicator

Wow! It was that simple! I've never seen it do this before though - it usually just defaults to that.

Thanks @somesoni2!

0 Karma

somesoni2
Revered Legend

Glad it worked out for you. Do remember to close the question so that any future reader with similar issue can reference it.

0 Karma

pil321
Communicator

Will do. Thanks again!

0 Karma

Grumpalot
Communicator

@pil321 did you set the host_segment inside of your inputs.conf? I would think it would default to the actual UF device if one isn't designated, but it could be possible it doesn't.

0 Karma

pil321
Communicator

thanks for the reply @Grumpalot - it's set (host_segment = 3).

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...