Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a field to represent intermediate forwarder for Syslog data ?

dm1
Contributor
‎06-06-2021 06:41 PM

We are ingesting syslog data via syslog server and have configured host overriding on the local UF to show host field value as the originating host.

Because we have syslog data from multiple syslog servers, I would like to be able to identify which syslog server is sending what syslog data.

I recall there was a way to configure some metadata field to extract and apply the transform for creating a new host field for intermediate forwarder, but I dont recall how I did it.

Can someone please advise how to do this ?

 

 

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 08:32 PM

Hi @dm1 

You can use INGEST_EVAL to create index time field in transforms.conf and refer the same in props.conf on HF/indexer. 

It works similar to eval, your syslog sever name should be part of one of the deault fields (host, source)/_raw. Refer - transforms.conf - Splunk Documentation

---

An upvote would be appreciated if it helps!

0 Karma
Reply

dm1
Contributor
‎06-09-2021 10:27 PM

Can you please give an example on how this can be achieved using ingest_eval ?

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 10:42 PM

Hi @dm1

Following should be deployed to HF/indexer. Assuming here your source field having syslog_server_host.. it could be _raw as well.

syslog_server field will be indexed.

 

# props.conf
[sourcetype_name_here/source::/host::]
TRANSFORM-set_syslogs = index-syslog-host

#transforms.conf
# INGEST_EVAL works same as EVAL
[index-syslog-host]
INGEST_EVAL = syslog_server=mvindex(split(source,"/"),3)

 

 

 

 

UI version of testing of EVAL.

venkatasri_0-1623303680966.png

----

An upvote would be appreciated if it helps!

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-10-2021 12:36 AM

HI

That method wat @venkatasri proposal works well, but how to implement it to your environment depends on how you are takin those logs in splunk. Are you using directly UDP/TCP port on forwarder or are you reading those on filesystem (as @venkatasri supposed) and his those are divided on FS if they are there.

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...