Getting Data In

How to configure transforms.conf on a heavy forwarder to combine sourcetype and host into one host key?

ehudb
Contributor

I'm exporting events from a Heavy Forwarder to syslog without indexing (throwing to nullQueue after syslog output).

Since syslog contains only 'host' and raw data, I'm missing the 'sourcetype' in the syslog.

I would like to make an index-time transform that combines the sourcetype and the host, together in the host field.

The reason for that, is because I'm sending those events to syslog-ng, and not to a Splunk indexer.
Syslog format cannot contain special fields like sourcetype.

Is there any way to use transform with two SOURCE_KEYs into one DEST_KEY?

0 Karma

HeinzWaescher
Motivator

You can combine both values like this:

| eval new_field=sourcetype."-".host
0 Karma

ehudb
Contributor

I can't use any search for this, since the events don't get into indexer at all, they go from HeavyForwarder straight to syslog output.
So I can only modify index-time fields, at index time, such as host, source, sourcetype, index.

Problem is, syslog format doesn't contain sourcetype field, it only contain host and _raw.
So I thought maybe I could insert the sourcetytpe into the host somehow.

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...