Getting Data In

How to configure transforms.conf on a heavy forwarder to combine sourcetype and host into one host key?

Contributor

I'm exporting events from a Heavy Forwarder to syslog without indexing (throwing to nullQueue after syslog output).

Since syslog contains only 'host' and raw data, I'm missing the 'sourcetype' in the syslog.

I would like to make an index-time transform that combines the sourcetype and the host, together in the host field.

The reason for that, is because I'm sending those events to syslog-ng, and not to a Splunk indexer.
Syslog format cannot contain special fields like sourcetype.

Is there any way to use transform with two SOURCE_KEYs into one DEST_KEY?

0 Karma

Motivator

You can combine both values like this:

| eval new_field=sourcetype."-".host
0 Karma

Contributor

I can't use any search for this, since the events don't get into indexer at all, they go from HeavyForwarder straight to syslog output.
So I can only modify index-time fields, at index time, such as host, source, sourcetype, index.

Problem is, syslog format doesn't contain sourcetype field, it only contain host and _raw.
So I thought maybe I could insert the sourcetytpe into the host somehow.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!