Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure transforms.conf on a heavy forwarder to combine sourcetype and host into one host key?

ehudb
Contributor
‎04-25-2016 11:36 PM

I'm exporting events from a Heavy Forwarder to syslog without indexing (throwing to nullQueue after syslog output).

Since syslog contains only 'host' and raw data, I'm missing the 'sourcetype' in the syslog.

I would like to make an index-time transform that combines the sourcetype and the host, together in the host field.

The reason for that, is because I'm sending those events to syslog-ng, and not to a Splunk indexer.
Syslog format cannot contain special fields like sourcetype.

Is there any way to use transform with two SOURCE_KEYs into one DEST_KEY?

0 Karma
Reply

HeinzWaescher
Motivator
‎04-26-2016 12:47 AM

You can combine both values like this:

| eval new_field=sourcetype."-".host
0 Karma
Reply

ehudb
Contributor
‎04-26-2016 01:13 AM

I can't use any search for this, since the events don't get into indexer at all, they go from HeavyForwarder straight to syslog output.
So I can only modify index-time fields, at index time, such as host, source, sourcetype, index.

Problem is, syslog format doesn't contain sourcetype field, it only contain host and _raw.
So I thought maybe I could insert the sourcetytpe into the host somehow.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...