Splunk 7.0.2
Universal forwarder running on a linux box splunk2.lab.local
This is sending a monitor /var/log
to a search at splunk.lab.local
Events are showing up as host splunk2.lab.local
except for source type syslog
which is coming in as just splunk2
I would like to normalize this so both hosts are splunk2.lab.local
.
I see in props.conf
on the search box:
[syslog]
TRANSFORM = syslog-host
I tried just making that:
[syslog]
TRANSFORM =
What is the best way to handle this? Should I do something on the linux host that will make it log its hostname in syslog as FQDN? Is there a way to handle it where maybe I can setup an alias or similar so that two values can be merged?
I had a similar issue. Since it is recommended to use a syslog server instead of sending syslog straight to Splunk, I put up an rsyslog server. My rsyslog server had the option %FROMHOST% to put incoming syslog traffic into
/data/<reverse dns or ip address>/syslog
So each syslog client had a log file like /data/test.local/syslog (if reverse DNS was available) or /data/192.168.0.10/syslog.
The Splunk directory monitor had the option "host_segment = 2", so the host field should either be the FQDN or the ip address. However, the syslog sourcetype overwrote the host value via "TRANSFORM = syslog-host".
I did not like this behaviour. So like you I made the following changes via etc/system/local/props.conf on my heavy forwarder (because that's where the indexing phase took place):
[syslog]
TRANSFORM =
So I think you are handling this just fine.